From 34800ec5073c5d5923f2114081f9e569c303764d Mon Sep 17 00:00:00 2001 From: Andrea Lattuada Date: Tue, 20 Aug 2024 20:07:20 +0200 Subject: [PATCH] add doubly-linked-list experiments --- milli/doubly-linked-list/.gitignore | 2 + milli/doubly-linked-list/Fstarlowstar.fst | 2022 ++++++ .../doubly-linked-list/FstarlowstarIface.fst | 1042 +++ .../doubly-linked-list/FstarlowstarIface.fsti | 521 ++ milli/doubly-linked-list/FstarlowstarMain.fst | 43 + .../doubly-linked-list-oneshot.mlcfg | 5471 +++++++++++++++ .../why3session.xml | 513 ++ .../why3session.xml.bak | 568 ++ .../doubly-linked-list-oneshot/why3shapes.gz | Bin 0 -> 11370 bytes .../why3shapes.gz.bak | Bin 0 -> 12859 bytes .../linked-list-repeat-01.mlcfg | 5550 +++++++++++++++ .../linked-list-repeat-01/why3session.xml | 58 + .../linked-list-repeat-01/why3shapes.gz | Bin 0 -> 3427 bytes .../linked-list-repeat-02.mlcfg | 5586 +++++++++++++++ .../linked-list-repeat-02/why3session.xml | 58 + .../linked-list-repeat-02/why3shapes.gz | Bin 0 -> 3529 bytes .../linked-list-repeat-03.mlcfg | 5622 +++++++++++++++ .../linked-list-repeat-03/why3session.xml | 58 + .../linked-list-repeat-03/why3shapes.gz | Bin 0 -> 3537 bytes .../linked-list-repeat-04.mlcfg | 5658 +++++++++++++++ .../linked-list-repeat-04/why3session.xml | 58 + .../linked-list-repeat-04/why3shapes.gz | Bin 0 -> 3564 bytes .../linked-list-repeat-05.mlcfg | 5694 +++++++++++++++ .../linked-list-repeat-05/why3session.xml | 58 + .../linked-list-repeat-05/why3shapes.gz | Bin 0 -> 3554 bytes .../linked-list-repeat-06.mlcfg | 5730 ++++++++++++++++ .../linked-list-repeat-06/why3session.xml | 58 + .../linked-list-repeat-06/why3shapes.gz | Bin 0 -> 3552 bytes .../linked-list-repeat-07.mlcfg | 5766 ++++++++++++++++ .../linked-list-repeat-07/why3session.xml | 58 + .../linked-list-repeat-07/why3shapes.gz | Bin 0 -> 3559 bytes .../linked-list-repeat-08.mlcfg | 5802 ++++++++++++++++ .../linked-list-repeat-08/why3session.xml | 58 + .../linked-list-repeat-08/why3shapes.gz | Bin 0 -> 3558 bytes .../linked-list-repeat-09.mlcfg | 5838 ++++++++++++++++ .../linked-list-repeat-09/why3session.xml | 58 + .../linked-list-repeat-09/why3shapes.gz | Bin 0 -> 3554 bytes .../linked-list-repeat-10.mlcfg | 5874 ++++++++++++++++ .../linked-list-repeat-10/why3session.xml | 58 + .../linked-list-repeat-10/why3shapes.gz | Bin 0 -> 3544 bytes .../linked-list-repeat-11.mlcfg | 5910 ++++++++++++++++ .../linked-list-repeat-11/why3session.xml | 58 + .../linked-list-repeat-11/why3shapes.gz | Bin 0 -> 3549 bytes .../linked-list-repeat-12.mlcfg | 5946 ++++++++++++++++ .../linked-list-repeat-12/why3session.xml | 58 + .../linked-list-repeat-12/why3shapes.gz | Bin 0 -> 3544 bytes .../linked-list-repeat-13.mlcfg | 5982 ++++++++++++++++ .../linked-list-repeat-13/why3session.xml | 58 + .../linked-list-repeat-13/why3session.xml.bak | 527 ++ .../linked-list-repeat-13/why3shapes.gz | Bin 0 -> 3541 bytes .../linked-list-repeat-13/why3shapes.gz.bak | Bin 0 -> 9954 bytes .../linked-list-repeat-14.mlcfg | 6018 ++++++++++++++++ .../linked-list-repeat-14/why3session.xml | 58 + .../linked-list-repeat-14/why3shapes.gz | Bin 0 -> 3545 bytes .../linked-list-repeat-15.mlcfg | 6054 ++++++++++++++++ .../linked-list-repeat-15/why3session.xml | 58 + .../linked-list-repeat-15/why3shapes.gz | Bin 0 -> 3542 bytes .../linked-list-repeat-16.mlcfg | 6090 +++++++++++++++++ .../linked-list-repeat-16/why3session.xml | 58 + .../linked-list-repeat-16/why3shapes.gz | Bin 0 -> 3542 bytes milli/doubly-linked-list/creusot.rs | 536 ++ milli/doubly-linked-list/dafny.dfy | 377 + milli/doubly-linked-list/explib.py | 35 + milli/doubly-linked-list/oneshot.py | 57 + .../repeat-creusot/creusot-01.rs | 536 ++ .../repeat-creusot/creusot-02.rs | 541 ++ .../repeat-creusot/creusot-03.rs | 546 ++ .../repeat-creusot/creusot-04.rs | 551 ++ .../repeat-creusot/creusot-05.rs | 556 ++ .../repeat-creusot/creusot-06.rs | 561 ++ .../repeat-creusot/creusot-07.rs | 566 ++ .../repeat-creusot/creusot-08.rs | 571 ++ .../repeat-creusot/creusot-09.rs | 576 ++ .../repeat-creusot/creusot-10.rs | 581 ++ .../repeat-creusot/creusot-11.rs | 586 ++ .../repeat-creusot/creusot-12.rs | 591 ++ .../repeat-creusot/creusot-13.rs | 596 ++ .../repeat-creusot/creusot-14.rs | 601 ++ .../repeat-creusot/creusot-15.rs | 606 ++ .../repeat-creusot/creusot-16.rs | 611 ++ .../repeat.FstarlowstarMain.fst.py | 56 + milli/doubly-linked-list/repeat.creusot.rs.py | 22 + milli/doubly-linked-list/repeat.dafny.dfy.py | 22 + milli/doubly-linked-list/repeat.py | 107 + milli/doubly-linked-list/repeat.verus.rs.py | 23 + milli/doubly-linked-list/verus.rs | 508 ++ milli/experiments.sh | 2 + 87 files changed, 115678 insertions(+) create mode 100644 milli/doubly-linked-list/.gitignore create mode 100644 milli/doubly-linked-list/Fstarlowstar.fst create mode 100644 milli/doubly-linked-list/FstarlowstarIface.fst create mode 100644 milli/doubly-linked-list/FstarlowstarIface.fsti create mode 100644 milli/doubly-linked-list/FstarlowstarMain.fst create mode 100644 milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3session.xml.bak create mode 100644 milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3shapes.gz.bak create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-01.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-01/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-01/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-02.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-02/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-02/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-03.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-03/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-03/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-04.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-04/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-04/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-05.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-05/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-05/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-06.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-06/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-06/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-07.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-07/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-07/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-08.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-08/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-08/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-09.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-09/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-09/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-10.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-10/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-10/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-11.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-11/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-11/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-12.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-12/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-12/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3session.xml.bak create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3shapes.gz.bak create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-14.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-14/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-14/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-15.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-15/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-15/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-16.mlcfg create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-16/why3session.xml create mode 100644 milli/doubly-linked-list/creusot-sessions/linked-list-repeat-16/why3shapes.gz create mode 100644 milli/doubly-linked-list/creusot.rs create mode 100644 milli/doubly-linked-list/dafny.dfy create mode 100644 milli/doubly-linked-list/explib.py create mode 100644 milli/doubly-linked-list/oneshot.py create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-01.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-02.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-03.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-04.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-05.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-06.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-07.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-08.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-09.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-10.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-11.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-12.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-13.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-14.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-15.rs create mode 100644 milli/doubly-linked-list/repeat-creusot/creusot-16.rs create mode 100644 milli/doubly-linked-list/repeat.FstarlowstarMain.fst.py create mode 100644 milli/doubly-linked-list/repeat.creusot.rs.py create mode 100644 milli/doubly-linked-list/repeat.dafny.dfy.py create mode 100644 milli/doubly-linked-list/repeat.py create mode 100644 milli/doubly-linked-list/repeat.verus.rs.py create mode 100644 milli/doubly-linked-list/verus.rs diff --git a/milli/doubly-linked-list/.gitignore b/milli/doubly-linked-list/.gitignore new file mode 100644 index 0000000..f324fcd --- /dev/null +++ b/milli/doubly-linked-list/.gitignore @@ -0,0 +1,2 @@ +/__pycache__/ +/repeat-out/ diff --git a/milli/doubly-linked-list/Fstarlowstar.fst b/milli/doubly-linked-list/Fstarlowstar.fst new file mode 100644 index 0000000..5fbd800 --- /dev/null +++ b/milli/doubly-linked-list/Fstarlowstar.fst @@ -0,0 +1,2022 @@ +// From: https://github.com/FStarLang/FStar/blob/master/examples/doublylinkedlist/DoublyLinkedList.fst + +(* + Copyright 2008-2019 Microsoft Research + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*) + +module Fstarlowstar + +open FStar +open FStar.HyperStack.ST +open FStar.Ghost +open LowStar.ModifiesPat +open FStar.List.Tot +open FStar.List.Pure +open LowStar.BufferOps +module Mod = LowStar.Modifies +module ST = FStar.HyperStack.ST +module HS = FStar.HyperStack +module B = LowStar.Buffer + +/// Convenience renaming + +unfold let heap = HS.mem +unfold let contains #a #rrel #rel h b = B.live #a #rrel #rel h b + +/// Convenience patterns + +let lemma_non_null (#t:Type) (a:pointer_or_null t) : + Lemma + (requires (a =!= null)) + (ensures (len a = 1ul)) + [SMTPat (len a)] = + null_unique a + +/// Convenience operators + +unfold let (.[]) (s:list 'a) (n:nat{n < length s}) = index s n +unfold let (~.) (#t:Type) (a:t) : Tot (erased (list t)) = [a] +unfold let (^+) (#t:Type) (a:t) (b:erased (list t)) : Tot (erased (list t)) = Cons a b +unfold let (+^) (#t:Type) (a:erased (list t)) (b:t) : Tot (erased (list t)) = append a [b] +unfold let (^@^) (#t:Type) (a:erased (list t)) (b:erased (list t)) : Tot (erased (list t)) = append a b +unfold let (@) (a:pointer 't) (h0:heap) = B.get h0 a 0 +unfold let (^@) (a:pointer_or_null 't{a =!= null}) (h0:heap) = B.get h0 a 0 + +/// All the data structures + +#set-options "--__no_positivity" + +unopteq +(** Node of a doubly linked list *) +type node (t:Type0) = { + (* forward link *) + flink: pointer_or_null (node t); + (* backward link *) + blink: pointer_or_null (node t); + (* payload *) + p: t; +} + +#reset-options + +private +type nodelist t = list (pointer (node t)) + +unopteq +(** Doubly linked list head *) +type dll (t:Type0) ={ + lhead: pointer_or_null (node t); + ltail: pointer_or_null (node t); + nodes: erased (nodelist t); +} + +type nonempty_dll t = (h:dll t{h.lhead =!= null /\ h.ltail =!= null}) + +unopteq private +(** An "almost valid" dll *) +type piece t = { + phead: pointer (node t); + ptail: pointer (node t); + pnodes: erased (nodelist t); +} + +unopteq private +(** An intermediate for when linked lists are being formed or destroyed *) +type fragment t = + | Frag0 : fragment t + | Frag1 : piece t -> fragment t + | Frag2 : piece t -> piece t -> fragment t + | Frag3 : piece t -> piece t -> piece t -> fragment t + +/// Some useful empty initializers + +(** Initialize an element of a doubly linked list *) +val empty_node: #t:Type -> payload:t -> node t +let empty_node #t payload = + { flink = null ; blink = null ; p = payload } + +(** Initialize a doubly linked list head *) +val empty_list: #t:Type -> dll t + +let empty_list #t = + { lhead = null ; ltail = null ; nodes = [] } + +/// Convenience wrappers for writing properties on fragments + +let fragment_for_each0 (#t:Type) (pr:piece t -> GTot Type0) (f:fragment t) : GTot Type0 = + match f with + | Frag0 -> True + | Frag1 p1 -> pr p1 + | Frag2 p1 p2 -> pr p1 /\ pr p2 + | Frag3 p1 p2 p3 -> pr p1 /\ pr p2 /\ pr p3 + +let fragment_for_each1 (#t:Type) (#u:Type) (pr:u -> piece t -> GTot Type0) (v:u) (f:fragment t) : GTot Type0 = + match f with + | Frag0 -> True + | Frag1 p1 -> pr v p1 + | Frag2 p1 p2 -> pr v p1 /\ pr v p2 + | Frag3 p1 p2 p3 -> pr v p1 /\ pr v p2 /\ pr v p3 + +let fragment_length (#t:Type) (f:fragment t) : GTot int = + match f with + | Frag0 -> 0 + | Frag1 _ -> 1 + | Frag2 _ _ -> 2 + | Frag3 _ _ _ -> 3 + +/// Ghostly connections + +let dll_ghostly_connections (#t:Type) (d:dll t) : GTot Type0 = + let nodes = d.nodes in + match length nodes with + | 0 -> d.lhead == null /\ d.ltail == null + | _ -> d.lhead =!= null /\ d.ltail =!= null /\ + d.lhead == hd nodes /\ + d.ltail == last nodes + +let piece_ghostly_connections (#t:Type) (p:piece t) : GTot Type0 = + let nodes = p.pnodes in + match length nodes with + | 0 -> False + | _ -> p.phead == hd nodes /\ + p.ptail == last nodes + +let rec fragment_ghostly_connections (#t:Type) (f:fragment t) : GTot Type0 = + fragment_for_each0 piece_ghostly_connections f + +/// Containment properties +/// +/// WARNING: [@@] and [^@] require containment to reasonably talk about +/// what they do. + +let rec nodelist_contained0 (#t:Type) (h0:heap) (nl:nodelist t) : GTot Type0 = + match nl with + | [] -> True + | n :: ns -> h0 `contains` n /\ nodelist_contained0 h0 ns +let rec nodelist_contained (#t:Type) (h0:heap) (nl:nodelist t) : GTot Type0 = + nodelist_contained0 h0 nl + +let dll_contained (#t:Type) (h0:heap) (d:dll t) : GTot Type0 = + h0 `contains` d.lhead /\ + h0 `contains` d.ltail /\ + nodelist_contained h0 d.nodes + +let piece_contained (#t:Type) (h0:heap) (p:piece t) : GTot Type0 = + h0 `contains` p.phead /\ + h0 `contains` p.ptail /\ + nodelist_contained h0 p.pnodes + +let rec fragment_contained (#t:Type) (h0:heap) (f:fragment t) : GTot Type0 = + fragment_for_each1 piece_contained h0 f + +/// Footprints + +let node_fp_f (#t:Type) (n:node t) : GTot Mod.loc = + Mod.loc_buffer n.flink +let node_fp_b (#t:Type) (n:node t) : GTot Mod.loc = + Mod.loc_buffer n.blink + +let rec nodelist_fp0 (#t:Type) (n:nodelist t) : GTot Mod.loc = + match n with + | [] -> Mod.loc_none + | n :: ns -> Mod.loc_union (Mod.loc_buffer n) (nodelist_fp0 ns) +let rec nodelist_fp_f (#t:Type) (h0:heap) (n:nodelist t) : GTot Mod.loc = + match n with + | [] -> Mod.loc_none + | n :: ns -> Mod.loc_union (Mod.loc_buffer (n@h0).flink) (nodelist_fp_f h0 ns) +let rec nodelist_fp_b (#t:Type) (h0:heap) (n:nodelist t) : GTot Mod.loc = + match n with + | [] -> Mod.loc_none + | n :: ns -> Mod.loc_union (Mod.loc_buffer (n@h0).blink) (nodelist_fp_b h0 ns) + +let dll_fp0 (#t:Type) (d:dll t) : GTot Mod.loc = + Mod.loc_union // ghostly connections should give us this union for + // free, but still useful to have + (Mod.loc_union (Mod.loc_buffer d.lhead) (Mod.loc_buffer d.ltail)) + (nodelist_fp0 d.nodes) +let dll_fp_f (#t:Type) (h0:heap) (d:dll t) : GTot Mod.loc = + let a = if g_is_null d.lhead then Mod.loc_none else Mod.loc_buffer (d.lhead^@h0).flink in + let b = if g_is_null d.ltail then Mod.loc_none else Mod.loc_buffer (d.ltail^@h0).flink in + Mod.loc_union // ghostly connections should give us this union for + // free, but still useful to have + (Mod.loc_union a b) + (nodelist_fp_f h0 d.nodes) +let dll_fp_b (#t:Type) (h0:heap) (d:dll t) : GTot Mod.loc = + let a = if g_is_null d.lhead then Mod.loc_none else Mod.loc_buffer (d.lhead^@h0).blink in + let b = if g_is_null d.ltail then Mod.loc_none else Mod.loc_buffer (d.ltail^@h0).blink in + Mod.loc_union // ghostly connections should give us this union for + // free, but still useful to have + (Mod.loc_union a b) + (nodelist_fp_b h0 d.nodes) + +let piece_fp0 (#t:Type) (p:piece t) : GTot Mod.loc = + Mod.loc_union // ghostly connections should give us this union for + // free, but still useful to have + (Mod.loc_union (Mod.loc_buffer p.phead) (Mod.loc_buffer p.ptail)) + (nodelist_fp0 p.pnodes) +let piece_fp_f (#t:Type) (h0:heap) (p:piece t) : GTot Mod.loc = + Mod.loc_union // ghostly connections should give us this union for + // free, but still useful to have + (Mod.loc_union (Mod.loc_buffer (p.phead@h0).flink) (Mod.loc_buffer (p.ptail@h0).flink)) + (nodelist_fp_f h0 p.pnodes) +let piece_fp_b (#t:Type) (h0:heap) (p:piece t) : GTot Mod.loc = + Mod.loc_union // ghostly connections should give us this union for + // free, but still useful to have + (Mod.loc_union (Mod.loc_buffer (p.phead@h0).blink) (Mod.loc_buffer (p.ptail@h0).blink)) + (nodelist_fp_b h0 p.pnodes) + +let rec fragment_fp0 (#t:Type) (f:fragment t) : GTot Mod.loc = + match f with + | Frag0 -> Mod.loc_none + | Frag1 p1 -> piece_fp0 p1 + | Frag2 p1 p2 -> Mod.loc_union (piece_fp0 p1) (piece_fp0 p2) + | Frag3 p1 p2 p3 -> Mod.loc_union (piece_fp0 p1) (Mod.loc_union (piece_fp0 p2) (piece_fp0 p3)) + +/// Helper patterns for footprints + +let loc_includes_union_l_nodelist_fp0 (#t: Type) (s1 s2:loc) (nl:nodelist t) : + Lemma + (requires (loc_includes s1 (nodelist_fp0 nl) \/ loc_includes s2 (nodelist_fp0 nl))) + (ensures (loc_includes (loc_union s1 s2) (nodelist_fp0 nl))) + [SMTPat (loc_includes (loc_union s1 s2) (nodelist_fp0 nl))] = + loc_includes_union_l s1 s2 (nodelist_fp0 nl) + +let loc_includes_union_l_dll_fp0 (#t: Type) (s1 s2:loc) (d:dll t) : + Lemma + (requires (loc_includes s1 (dll_fp0 d) \/ loc_includes s2 (dll_fp0 d))) + (ensures (loc_includes (loc_union s1 s2) (dll_fp0 d))) + [SMTPat (loc_includes (loc_union s1 s2) (dll_fp0 d))] = + loc_includes_union_l s1 s2 (dll_fp0 d) + +let loc_includes_union_l_piece_fp0 (#t: Type) (s1 s2:loc) (p:piece t) : + Lemma + (requires (loc_includes s1 (piece_fp0 p) \/ loc_includes s2 (piece_fp0 p))) + (ensures (loc_includes (loc_union s1 s2) (piece_fp0 p))) + [SMTPat (loc_includes (loc_union s1 s2) (piece_fp0 p))] = + loc_includes_union_l s1 s2 (piece_fp0 p) + +let loc_includes_union_l_fragment_fp0 (#t: Type) (s1 s2:loc) (f:fragment t) : + Lemma + (requires (loc_includes s1 (fragment_fp0 f) \/ loc_includes s2 (fragment_fp0 f))) + (ensures (loc_includes (loc_union s1 s2) (fragment_fp0 f))) + [SMTPat (loc_includes (loc_union s1 s2) (fragment_fp0 f))] = + loc_includes_union_l s1 s2 (fragment_fp0 f) + +/// Equivalence for locations + +let loc_equiv (a b:Mod.loc) = Mod.loc_includes a b /\ Mod.loc_includes b a + +let loc_equiv_trans (a b c:Mod.loc) : + Lemma + (requires (loc_equiv a b /\ loc_equiv b c)) + (ensures (loc_equiv a c)) + [SMTPat (loc_equiv a b); + SMTPat (loc_equiv b c); + SMTPat (loc_equiv a c)] = + Mod.loc_includes_trans a b c; + Mod.loc_includes_trans c b a + +let loc_equiv_union_union_loc (a b c:Mod.loc) : + Lemma + (requires (loc_equiv b c)) + (ensures (loc_equiv + (Mod.loc_union a b) + (Mod.loc_union a c))) + [SMTPat (loc_equiv + (Mod.loc_union a b) + (Mod.loc_union a c))] = + let incl = Mod.loc_includes in + let u = Mod.loc_union in + // assert (b `incl` c); + Mod.loc_includes_union_l a b c; + // assert ((a `u` b) `incl` c); + Mod.loc_includes_union_l a b a; + // assert ((a `u` b) `incl` a); + // assert ((a `u` b) `incl` (a `u` c)); + Mod.loc_includes_union_l a c b; + Mod.loc_includes_union_l a c a + +/// Anti aliasing properties + +let node_aa (#t:Type) (n:node t) : GTot Type0 = + Mod.loc_disjoint (node_fp_f n) (node_fp_b n) + +let rec nodelist_aa_r (#t:Type) (nl:nodelist t) : GTot Type0 = + match nl with + | [] -> True + | n :: ns -> + Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 ns) /\ + nodelist_aa_r ns +let rec nodelist_aa_l (#t:Type) (nl:nodelist t) : GTot Type0 (decreases (length nl)) = + match nl with + | [] -> True + | _ -> + let ns, n = unsnoc nl in lemma_unsnoc_length nl; + Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 ns) /\ + nodelist_aa_l ns +let nodelist_aa (#t:Type) (nl:nodelist t) : GTot Type0 = + nodelist_aa_l nl /\ nodelist_aa_r nl + +let dll_aa (#t:Type) (d:dll t) : GTot Type0 = + nodelist_aa d.nodes + +let piece_aa (#t:Type) (p:piece t) : GTot Type0 = + nodelist_aa p.pnodes + +let rec fragment_aa0 (#t:Type) (f:fragment t) : GTot Type0 = + fragment_for_each0 piece_aa f +let rec fragment_aa_lr (#t:Type) (f:fragment t) : GTot Type0 = + match f with + | Frag0 -> True + | Frag1 p1 -> True + | Frag2 p1 p2 -> Mod.loc_disjoint (piece_fp0 p1) (piece_fp0 p2) + | Frag3 p1 p2 p3 -> ((Mod.loc_disjoint (piece_fp0 p1) (piece_fp0 p2)) /\ + (Mod.loc_disjoint (piece_fp0 p2) (piece_fp0 p3)) /\ + (Mod.loc_disjoint (piece_fp0 p3) (piece_fp0 p1))) +let fragment_aa (#t:Type) (f:fragment t) : GTot Type0 = + fragment_aa0 f /\ fragment_aa_lr f + +/// Connectivity properties + +let ( |>> ) (#t:Type) (a:node t) (b:pointer (node t)) : GTot Type0 = + a.flink == b + +let ( <<| ) (#t:Type) (a:pointer (node t)) (b: node t) : GTot Type0 = + b.blink == a + +let rec nodelist_conn (#t:Type) (h0:heap) (nl:nodelist t) : GTot Type0 (decreases (length nl)) = + match nl with + | [] -> True + | n1 :: rest -> match rest with + | [] -> True + | n2 :: ns -> + n1@h0 |>> n2 /\ + n1 <<| n2@h0 /\ + nodelist_conn h0 rest + +let dll_conn (#t:Type) (h0:heap) (d:dll t) : GTot Type0 = + nodelist_conn h0 d.nodes /\ + (d.lhead =!= null ==> (d.lhead@h0).blink == null) /\ + (d.ltail =!= null ==> (d.ltail@h0).flink == null) + +let piece_conn (#t:Type) (h0:heap) (p:piece t) : GTot Type0 = + nodelist_conn h0 p.pnodes + +let rec fragment_conn (#t:Type) (h0:heap) (f:fragment t) : GTot Type0 = + fragment_for_each1 piece_conn h0 f + +/// Validity properties +/// +/// These are just a combination of +/// + Ghostly connections +/// + Containment properties +/// + Anti aliasing properties +/// + Connectivity properties + +let nodelist_valid (#t:Type) (h0:heap) (nl:nodelist t) : GTot Type0 = + nodelist_contained h0 nl /\ + nodelist_aa nl /\ + nodelist_conn h0 nl + +let dll_valid (#t:Type) (h0:heap) (d:dll t) : GTot Type0 = + dll_ghostly_connections d /\ + dll_contained h0 d /\ + dll_aa d /\ + dll_conn h0 d + +let piece_valid (#t:Type) (h0:heap) (p:piece t) : GTot Type0 = + piece_ghostly_connections p /\ + piece_contained h0 p /\ + piece_aa p /\ + piece_conn h0 p + +let fragment_valid (#t:Type) (h0:heap) (f:fragment t) : GTot Type0 = + fragment_ghostly_connections f /\ + fragment_contained h0 f /\ + fragment_aa f /\ + fragment_conn h0 f + +/// Talk about payloads of nodes remaining constant + +let unchanged_node_val h0 h1 n = + (h0 `contains` n ==> + ((n@h0).p == (n@h1).p /\ h1 `contains` n)) + +let rec unchanged_node_vals (h0 h1:HS.mem) (ns:nodelist 'a) : GTot prop = + match ns with + | [] -> True + | n :: ns' -> unchanged_node_val h0 h1 n /\ unchanged_node_vals h0 h1 ns' + +/// Useful operations on nodes + +let ( =|>> ) (#t:Type) (a:pointer (node t)) (b:pointer (node t)) : StackInline unit + (requires (fun h0 -> + h0 `contains` a /\ h0 `contains` b /\ + Mod.loc_disjoint (Mod.loc_buffer a) (Mod.loc_buffer b))) + (ensures (fun h0 _ h1 -> + Mod.modifies (Mod.loc_buffer a) h0 h1 /\ + unchanged_node_val h0 h1 a /\ + (a@h0).blink == (a@h1).blink /\ + b@h0 == b@h1 /\ + (a@h1) |>> b)) = + a *= { !*a with flink = b } + +let ( <<|= ) (#t:Type) (a:pointer (node t)) (b:pointer (node t)) : StackInline unit + (requires (fun h0 -> + h0 `contains` a /\ h0 `contains` b /\ + Mod.loc_disjoint (Mod.loc_buffer a) (Mod.loc_buffer b))) + (ensures (fun h0 _ h1 -> + Mod.modifies (Mod.loc_buffer b) h0 h1 /\ + a@h0 == a@h1 /\ + unchanged_node_val h0 h1 b /\ + (b@h0).flink == (b@h1).flink /\ + a <<| (b@h1))) = + b *= { !*b with blink = a } + +let ( !=|>> ) (#t:Type) (a:pointer (node t)) : StackInline unit + (requires (fun h0 -> h0 `contains` a)) + (ensures (fun h0 _ h1 -> + Mod.modifies (Mod.loc_buffer a) h0 h1 /\ + unchanged_node_val h0 h1 a /\ + (a@h0).blink == (a@h1).blink /\ + (a@h1).flink == null)) = + a *= { !*a with flink = null } + +let ( !<<|= ) (#t:Type) (a:pointer (node t)) : StackInline unit + (requires (fun h0 -> h0 `contains` a)) + (ensures (fun h0 _ h1 -> + Mod.modifies (Mod.loc_buffer a) h0 h1 /\ + unchanged_node_val h0 h1 a /\ + (a@h0).flink == (a@h1).flink /\ + (a@h1).blink == null)) = + a *= { !*a with blink = null } + +/// Extraction lemmas: these allow one to use one of the properties +/// above, which are defined inductively, to get the property at one +/// of the latter elements of the list. + +let rec extract_nodelist_contained (#t:Type) (h0:heap) (nl:nodelist t) (i:nat{i < length nl}) : + Lemma + (requires (nodelist_contained h0 nl)) + (ensures (h0 `contains` nl.[i])) = + match i with + | 0 -> () + | _ -> extract_nodelist_contained h0 (tl nl) (i - 1) + +let rec extract_nodelist_fp0 (#t:Type) (nl:nodelist t) (i:nat{i < length nl}) : + Lemma + (ensures (Mod.loc_includes + (nodelist_fp0 nl) + (Mod.loc_buffer nl.[i]))) = + match i with + | 0 -> () + | _ -> extract_nodelist_fp0 (tl nl) (i - 1) + +let rec extract_nodelist_aa_r (#t:Type) (nl:nodelist t) (i:nat{i < length nl}) : + Lemma + (requires (nodelist_aa_r nl)) + (ensures ( + let left, n, right = split3 nl i in + Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 right))) = + match i with + | 0 -> () + | _ -> extract_nodelist_aa_r (tl nl) (i - 1) + +let rec extract_nodelist_aa_l (#t:Type) (nl:nodelist t) (i:nat{i < length nl}) : + Lemma + (requires (nodelist_aa_l nl)) + (ensures ( + let left, n, right = split3 nl i in + Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 left))) + (decreases (length nl)) = + if i = length nl - 1 then () else ( + let a, b = unsnoc nl in lemma_unsnoc_length nl; + let left, n, right = split3 nl i in + lemma_unsnoc_split3 nl i; + // assert (append (left) (n :: (fst (unsnoc right))) == a); + extract_nodelist_aa_l a i; + lemma_split3_unsnoc nl i + ) + +let rec extract_nodelist_conn (#t:Type) (h0:heap) (nl:nodelist t) (i:nat{i < length nl - 1}) : + Lemma + (requires (nodelist_conn h0 nl)) + (ensures ( + (nl.[i]@h0 |>> nl.[i+1]) /\ + (nl.[i] <<| nl.[i+1]@h0))) + (decreases (length nl)) = + match i with + | 0 -> () + | _ -> extract_nodelist_conn h0 (tl nl) (i - 1) + +/// Validity is maintained upon breaking the lists, via (hd :: tl) + +let rec nodelist_remains_aa_l (#t:Type) (nl:nodelist t) : + Lemma + (requires (nodelist_aa_l nl /\ length nl > 0)) + (ensures (nodelist_aa_l (tl nl))) + (decreases (length nl)) + [SMTPat (nodelist_aa_l (tl nl))] = + match nl with + | [n] -> () + | _ -> + let ns, n = unsnoc nl in lemma_unsnoc_length nl; + let ns', n' = unsnoc (tl nl) in + // assert (Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 ns)); + // assert (n' == n); + // assert (ns' == tl ns); + // assert (Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 ns')); + nodelist_remains_aa_l ns + +(* Rest of the validity predicates are held trivially due to their + direction of definition *) + +/// Properties maintained upon breaking the list, via unsnoc + +let rec fst_unsnoc_nodelist_fp0 (#t:Type) (nl:nodelist t) : + Lemma + (requires (length nl > 0)) + (ensures (Mod.loc_includes (nodelist_fp0 nl) (nodelist_fp0 (fst (unsnoc nl))))) + [SMTPat (Mod.loc_includes (nodelist_fp0 nl) (nodelist_fp0 (fst (unsnoc nl))))] = + match nl with + | [_] -> () + | n :: ns -> fst_unsnoc_nodelist_fp0 ns + +let rec snd_unsnoc_nodelist_fp0 (#t:Type) (nl:nodelist t) : + Lemma + (requires (length nl > 0)) + (ensures (Mod.loc_includes (nodelist_fp0 nl) (Mod.loc_buffer (snd (unsnoc nl))))) + [SMTPat (Mod.loc_includes (nodelist_fp0 nl) (Mod.loc_buffer (snd (unsnoc nl))))] = + match nl with + | [_] -> () + | n :: ns -> snd_unsnoc_nodelist_fp0 ns + +let rec fst_unsnoc_nodelist_contained (#t:Type) (h0:heap) (nl:nodelist t) : + Lemma + (requires (nodelist_contained h0 nl /\ length nl > 0)) + (ensures (nodelist_contained h0 (fst (unsnoc nl)))) = + match nl with + | [_] -> () + | _ -> fst_unsnoc_nodelist_contained h0 (tl nl) + +let rec fst_unsnoc_nodelist_aa (#t:Type) (nl:nodelist t) : + Lemma + (requires (nodelist_aa nl /\ length nl > 0)) + (ensures (nodelist_aa (fst (unsnoc nl)))) = + match nl with + | [_] -> () + | _ -> + fst_unsnoc_nodelist_aa (tl nl); + // assert (nodelist_aa_l (fst (unsnoc nl))); + let n :: ns = fst (unsnoc nl) in + Mod.loc_disjoint_includes + (Mod.loc_buffer n) (nodelist_fp0 (tl nl)) + (Mod.loc_buffer n) (nodelist_fp0 ns); + // assert (Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 ns)); + // assert (nodelist_aa_r (fst (unsnoc nl))); + () + +let rec fst_unsnoc_nodelist_conn (#t:Type) (h0:heap) (nl:nodelist t) : + Lemma + (requires (nodelist_conn h0 nl /\ length nl > 0)) + (ensures (nodelist_conn h0 (fst (unsnoc nl)))) = + match nl with + | [_] -> () + | _ -> fst_unsnoc_nodelist_conn h0 (tl nl) + +let fst_unsnoc_nodelist_valid (#t:Type) (h0:heap) (nl:nodelist t) : + Lemma + (requires (nodelist_valid h0 nl /\ length nl > 0)) + (ensures (nodelist_valid h0 (fst (unsnoc nl)))) = + fst_unsnoc_nodelist_contained h0 nl; + fst_unsnoc_nodelist_aa nl; + fst_unsnoc_nodelist_conn h0 nl + +/// Footprints are included, even upon breaking nodelist even further + +let rec nodelist_includes_r_fp0 (#t:Type) (nl:nodelist t) (i j:nat) : + Lemma + (requires (i <= j /\ j < length nl)) + (ensures ( + let _, a = splitAt i nl in + let _, b = splitAt j nl in + Mod.loc_includes (nodelist_fp0 a) (nodelist_fp0 b))) + (decreases (j - i)) = + if i = j then () else ( + let temp, a = splitAt i nl in lemma_splitAt nl temp a i; + let temp, b = splitAt j nl in lemma_splitAt nl temp b j; + if i = j - 1 then ( + List.Pure.Properties.splitAt_assoc i 1 nl; + // assert (tl a == b); + () + ) else ( + nodelist_includes_r_fp0 nl i (j - 1); + nodelist_includes_r_fp0 nl (j - 1) j; + let temp, c = splitAt (j - 1) nl in lemma_splitAt nl temp c (j - 1); + Mod.loc_includes_trans (nodelist_fp0 a) (nodelist_fp0 c) (nodelist_fp0 b) + ) + ) + +let rec nodelist_includes_l_fp0 (#t:Type) (nl:nodelist t) (i j:nat) : + Lemma + (requires (i <= j /\ j < length nl)) + (ensures ( + let a, _ = splitAt i nl in + let b, _ = splitAt j nl in + Mod.loc_includes (nodelist_fp0 b) (nodelist_fp0 a))) + (decreases (j - i)) = + if i = j then () else ( + let a, a' = splitAt i nl in lemma_splitAt nl a a' i; + let b, b' = splitAt j nl in lemma_splitAt nl b b' j; + if i = j - 1 then ( + List.Pure.Properties.splitAt_assoc i 1 nl; + // assert (b == append a [hd a']); + lemma_unsnoc_append a [hd a']; + // assert (snd (unsnoc b) == hd a'); + // assert (fst (unsnoc b) == a); + fst_unsnoc_nodelist_fp0 b + ) else ( + nodelist_includes_l_fp0 nl i (j - 1); + nodelist_includes_l_fp0 nl (j - 1) j; + let c, c' = splitAt (j - 1) nl in lemma_splitAt nl c c' (j - 1); + Mod.loc_includes_trans (nodelist_fp0 b) (nodelist_fp0 c) (nodelist_fp0 a) + ) + ) + +/// Total conversions between fragments, pieces, and dlls + +let tot_dll_to_piece (#t:Type) (h0:heap) (d:nonempty_dll t{dll_valid h0 d}) : + Tot (p:piece t{piece_valid h0 p}) = + { phead = d.lhead ; ptail = d.ltail ; pnodes = d.nodes } + +let tot_dll_to_fragment (#t:Type) (h0:heap) (d:dll t{dll_valid h0 d /\ d.lhead =!= null}) : + Tot (f:fragment t{fragment_valid h0 f}) = + Frag1 (tot_dll_to_piece h0 d) + +let tot_piece_to_dll (#t:Type) (h0:heap) (p:piece t{ + piece_valid h0 p /\ + (p.phead@h0).blink == null /\ + (p.ptail@h0).flink == null}) : + Tot (d:dll t{dll_valid h0 d}) = + { lhead = p.phead ; ltail = p.ptail ; nodes = p.pnodes } + +(* The conversions piece<->fragment are trivial *) + +/// Properties maintained when appending nodelists + +let rec nodelist_append_contained (#t:Type) (h0:heap) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_contained h0 nl1 /\ nodelist_contained h0 nl2)) + (ensures (nodelist_contained h0 (append nl1 nl2))) = + match nl1 with + | [] -> () + | _ :: nl1' -> nodelist_append_contained h0 nl1' nl2 + +let rec nodelist_append_fp0 (#t:Type) (nl1 nl2:nodelist t) : + Lemma + (ensures ( + loc_equiv + (nodelist_fp0 (append nl1 nl2)) + (Mod.loc_union (nodelist_fp0 nl1) (nodelist_fp0 nl2)))) = + match nl1 with + | [] -> () + | n :: nl1' -> + nodelist_append_fp0 nl1' nl2; + // assert (loc_equiv + // (nodelist_fp0 (append nl1' nl2)) + // (Mod.loc_union (nodelist_fp0 nl1') (nodelist_fp0 nl2))); + // assert (loc_equiv + // (nodelist_fp0 nl1) + // (Mod.loc_union (Mod.loc_buffer n) (nodelist_fp0 nl1'))); + // assert (loc_equiv + // (Mod.loc_union (Mod.loc_union (Mod.loc_buffer n) (nodelist_fp0 nl1')) (nodelist_fp0 nl2)) + // (Mod.loc_union (Mod.loc_buffer n) (Mod.loc_union (nodelist_fp0 nl1') (nodelist_fp0 nl2)))); + // assert (loc_equiv + // (Mod.loc_union (nodelist_fp0 nl1) (nodelist_fp0 nl2)) + // (Mod.loc_union (Mod.loc_buffer n) (Mod.loc_union (nodelist_fp0 nl1') (nodelist_fp0 nl2)))); + // assert (loc_equiv + // (Mod.loc_union (Mod.loc_buffer n) (Mod.loc_union (nodelist_fp0 nl1') (nodelist_fp0 nl2))) + // (Mod.loc_union (Mod.loc_buffer n) (nodelist_fp0 (append nl1' nl2)))); + loc_equiv_trans + (Mod.loc_union (nodelist_fp0 nl1) (nodelist_fp0 nl2)) + (Mod.loc_union (Mod.loc_buffer n) (Mod.loc_union (nodelist_fp0 nl1') (nodelist_fp0 nl2))) + (Mod.loc_union (Mod.loc_buffer n) (nodelist_fp0 (append nl1' nl2))); + // assert (loc_equiv + // (Mod.loc_union (nodelist_fp0 nl1) (nodelist_fp0 nl2)) + // (Mod.loc_union (Mod.loc_buffer n) (nodelist_fp0 (append nl1' nl2)))); + () + +#set-options "--z3rlimit 20" + +let rec nodelist_append_aa_l (#t:Type) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_aa_l nl1 /\ nodelist_aa_l nl2 /\ + Mod.loc_disjoint (nodelist_fp0 nl1) (nodelist_fp0 nl2))) + (ensures (nodelist_aa_l (append nl1 nl2))) + (decreases (length nl2)) = + match nl2 with + | [] -> append_l_nil nl1 + | _ -> + let nl2', n = unsnoc nl2 in lemma_unsnoc_length nl2; + nodelist_append_fp0 nl1 nl2'; + // assert (nodelist_aa_l nl2'); + assert (Mod.loc_includes (nodelist_fp0 nl2) (nodelist_fp0 nl2')); // OBSERVE + // assert (Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 nl2')); + lemma_unsnoc_is_last nl2; + assert (Mod.loc_includes (nodelist_fp0 nl2) (Mod.loc_buffer n)); // OBSERVE + // assert (Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 nl1)); + // assert (loc_equiv (nodelist_fp0 (append nl1 nl2')) (Mod.loc_union (nodelist_fp0 nl1) (nodelist_fp0 nl2'))); + nodelist_append_aa_l nl1 nl2'; + // assert (Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 (append nl1 nl2'))); + lemma_unsnoc_append nl1 nl2; + // assert (append nl1 nl2' == fst (unsnoc (append nl1 nl2))); + // assert (n == snd (unsnoc (append nl1 nl2))); + // assert (Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 (fst (unsnoc (append nl1 nl2))))); + () + +#reset-options + +let rec nodelist_append_aa_r (#t:Type) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_aa_r nl1 /\ nodelist_aa_r nl2 /\ + Mod.loc_disjoint (nodelist_fp0 nl1) (nodelist_fp0 nl2))) + (ensures (nodelist_aa_r (append nl1 nl2))) = + match nl1 with + | [] -> () + | _ -> + nodelist_append_fp0 (tl nl1) nl2; + nodelist_append_aa_r (tl nl1) nl2 + +let nodelist_append_aa (#t:Type) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_aa nl1 /\ nodelist_aa nl2 /\ + Mod.loc_disjoint (nodelist_fp0 nl1) (nodelist_fp0 nl2))) + (ensures (nodelist_aa (append nl1 nl2))) = + nodelist_append_aa_l nl1 nl2; nodelist_append_aa_r nl1 nl2 + +let rec nodelist_append_conn (#t:Type) (h0:heap) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_conn h0 nl1 /\ nodelist_conn h0 nl2 /\ + Mod.loc_disjoint (nodelist_fp0 nl1) (nodelist_fp0 nl2) /\ + length nl1 > 0 /\ length nl2 > 0 /\ // For "= 0", it is trivially held + (last nl1)@h0 |>> (hd nl2) /\ + (last nl1) <<| (hd nl2)@h0)) + (ensures (nodelist_conn h0 (append nl1 nl2))) = + match nl1 with + | [_] -> () + | _ -> nodelist_append_conn h0 (tl nl1) nl2 + +let nodelist_append_valid (#t:Type) (h0:heap) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_valid h0 nl1 /\ nodelist_valid h0 nl2 /\ + Mod.loc_disjoint (nodelist_fp0 nl1) (nodelist_fp0 nl2) /\ + length nl1 > 0 /\ length nl2 > 0 /\ // For "= 0", it is trivially held + (last nl1)@h0 |>> (hd nl2) /\ + (last nl1) <<| (hd nl2)@h0)) + (ensures (nodelist_valid h0 (append nl1 nl2))) = + nodelist_append_contained h0 nl1 nl2; + nodelist_append_aa nl1 nl2; + nodelist_append_conn h0 nl1 nl2 + +/// Useful property for for piece merging + +let loc_includes_union_r_inv (a b c:Mod.loc) : + Lemma + (requires (Mod.loc_includes a (Mod.loc_union b c))) + (ensures (Mod.loc_includes a b /\ Mod.loc_includes a c)) = + Mod.loc_includes_union_l b c b; + Mod.loc_includes_trans a (Mod.loc_union b c) b; + Mod.loc_includes_union_l b c c; + Mod.loc_includes_trans a (Mod.loc_union b c) c + +/// Piece merging + +#set-options "--z3rlimit 10" + +val piece_merge (#t:Type) (h0:heap) + (p1:piece t{piece_valid h0 p1}) + (p2:piece t{piece_valid h0 p2}) : + Pure (piece t) + (requires (let a, b = last p1.pnodes, hd p2.pnodes in + (a@h0 |>> b) /\ + (a <<| b@h0) /\ + Mod.loc_disjoint (piece_fp0 p1) (piece_fp0 p2))) + (ensures (fun p -> (piece_valid h0 p) /\ + (reveal p.pnodes == p1.pnodes `append` p2.pnodes))) + +let piece_merge #t h0 p1 p2 = + let p = { phead = p1.phead ; ptail = p2.ptail ; pnodes = p1.pnodes ^@^ p2.pnodes } in + lemma_append_last p1.pnodes p2.pnodes; + nodelist_append_valid h0 p1.pnodes p2.pnodes; + p + +#reset-options + +let piece_merge_fp0 (#t:Type) (h0:heap) + (p1:piece t{piece_valid h0 p1}) + (p2:piece t{piece_valid h0 p2}) : + Lemma + (requires (let a, b = last p1.pnodes, hd p2.pnodes in + (a@h0 |>> b) /\ + (a <<| b@h0) /\ + Mod.loc_disjoint (piece_fp0 p1) (piece_fp0 p2))) + (ensures (loc_equiv + (piece_fp0 (piece_merge h0 p1 p2)) + (Mod.loc_union (piece_fp0 p1) (piece_fp0 p2)))) = + let p = piece_merge h0 p1 p2 in + let n1, n2, n = reveal p1.pnodes, reveal p2.pnodes, reveal p.pnodes in + nodelist_append_fp0 n1 n2; + // assert (loc_equiv (nodelist_fp0 n) (Mod.loc_union (nodelist_fp0 n1) (nodelist_fp0 n2))); + // assert (hd n1 == p1.phead); + // assert (Mod.loc_includes (nodelist_fp0 n1) (Mod.loc_buffer p1.phead)); + // assert (Mod.loc_includes (nodelist_fp0 n) (Mod.loc_buffer p.phead)); + // assert (last n2 == p2.ptail); + extract_nodelist_fp0 n2 (length n2 - 1); + lemma_unsnoc_is_last n2; + // assert (Mod.loc_includes (nodelist_fp0 n2) (Mod.loc_buffer p2.ptail)); + extract_nodelist_fp0 n (length n - 1); + lemma_unsnoc_is_last n; + // assert (Mod.loc_includes (nodelist_fp0 n) (Mod.loc_buffer p.ptail)); + loc_includes_union_r_inv (nodelist_fp0 n) (nodelist_fp0 n1) (nodelist_fp0 n2); + // assert (Mod.loc_includes (nodelist_fp0 n) (nodelist_fp0 n1)); + // assert (Mod.loc_includes (nodelist_fp0 n) (nodelist_fp0 n2)); + // + // assert (loc_equiv (nodelist_fp0 n) (piece_fp0 p)); + extract_nodelist_fp0 n1 (length n1 - 1); + lemma_unsnoc_is_last n1; + // assert (loc_equiv (nodelist_fp0 n1) (piece_fp0 p1)); + // assert (loc_equiv (nodelist_fp0 n2) (piece_fp0 p2)); + // + // assert (Mod.loc_includes (nodelist_fp0 n) (Mod.loc_union (nodelist_fp0 n1) (nodelist_fp0 n2))); + Mod.loc_includes_trans (nodelist_fp0 n) (piece_fp0 p) + (Mod.loc_union (nodelist_fp0 n1) (nodelist_fp0 n2)); + Mod.loc_includes_trans (nodelist_fp0 n) + (Mod.loc_union (nodelist_fp0 n1) (nodelist_fp0 n2)) + (Mod.loc_union (piece_fp0 p1) (piece_fp0 p2)); + // assert (Mod.loc_includes (piece_fp0 p) (Mod.loc_union (piece_fp0 p1) (piece_fp0 p2))); + // + // assert (Mod.loc_includes (Mod.loc_union (nodelist_fp0 n1) (nodelist_fp0 n2)) (nodelist_fp0 n)); + loc_equiv_trans (nodelist_fp0 n) (piece_fp0 p) + (Mod.loc_union (nodelist_fp0 n1) (nodelist_fp0 n2)); + loc_equiv_trans (nodelist_fp0 n) + (Mod.loc_union (nodelist_fp0 n1) (nodelist_fp0 n2)) + (Mod.loc_union (piece_fp0 p1) (piece_fp0 p2)); + loc_equiv_trans (piece_fp0 p) (nodelist_fp0 n) + (Mod.loc_union (piece_fp0 p1) (piece_fp0 p2)) + +/// Fragment merging to a dll + +let rec fragment_defragmentable (#t:Type) (h0:heap) (f:fragment t{fragment_valid h0 f}) : + GTot Type0 = + let aux (p1 p2:(p:piece t{piece_valid h0 p})) = + let a, b = last p1.pnodes, hd p2.pnodes in + (a@h0 |>> b) /\(a <<| b@h0) in + match f with + | Frag0 -> True + | Frag1 p1 -> True + | Frag2 p1 p2 -> aux p1 p2 + | Frag3 p1 p2 p3 -> aux p1 p2 /\ aux p2 p3 + +let single_piece_fragment_valid (#t:Type) (h0:heap) (p:piece t) : + Lemma + (requires (piece_valid h0 p)) + (ensures (fragment_valid h0 (Frag1 p))) = () + +#set-options "--z3rlimit 40 --initial_ifuel 2" + +let tot_defragmentable_fragment_to_dll (#t:Type) (h0:heap) (f:fragment t{ + fragment_valid h0 f /\ + fragment_defragmentable h0 f /\ + (fragment_length f > 0 ==> + (let a, b = match f with + | Frag1 p1 -> p1, p1 + | Frag2 p1 p2 -> p1, p2 + | Frag3 p1 _ p3 -> p1, p3 in + ((a.phead@h0).blink == null) /\ + ((b.ptail@h0).flink == null))) + }) : + Tot (d:dll t{dll_valid h0 d /\ dll_fp0 d `loc_equiv` fragment_fp0 f /\ + (reveal d.nodes == ( + match f with + | Frag0 -> [] + | Frag1 p1 -> reveal p1.pnodes + | Frag2 p1 p2 -> reveal p1.pnodes `append` reveal p2.pnodes + | Frag3 p1 p2 p3 -> + reveal p1.pnodes `append` reveal p2.pnodes `append` reveal p3.pnodes)) + }) = + match f with + | Frag0 -> empty_list + | Frag1 p1 -> tot_piece_to_dll h0 p1 + | Frag2 p1 p2 -> + piece_merge_fp0 h0 p1 p2; + tot_piece_to_dll h0 (piece_merge h0 p1 p2) + | Frag3 p1 p2 p3 -> + piece_merge_fp0 h0 p1 p2; + let p' = piece_merge h0 p1 p2 in + piece_merge_fp0 h0 p' p3; + tot_piece_to_dll h0 (piece_merge h0 p' p3) + +#reset-options + +/// Properties of nodelists maintained upon splitting nodelists + +let rec nodelist_split_contained (#t:Type) (h0:heap) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_contained h0 (append nl1 nl2))) + (ensures (nodelist_contained h0 nl1 /\ nodelist_contained h0 nl2)) = + match nl1 with + | [] -> () + | _ :: nl1' -> nodelist_split_contained h0 nl1' nl2 + +let rec nodelist_split_fp0 (#t:Type) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_aa_r (append nl1 nl2))) + (ensures (Mod.loc_disjoint (nodelist_fp0 nl1) (nodelist_fp0 nl2))) = + match nl1 with + | [] | [_] -> () + | _ -> + match nl2 with + | [] -> () + | _ -> + // assert (length nl1 > 1); + // assert (length nl2 > 0); + nodelist_split_fp0 (tl nl1) nl2; + append_length nl1 nl2; + nodelist_includes_r_fp0 (tl (append nl1 nl2)) 0 (length nl1 - 1); + // assert (snd (splitAt 0 (tl (append nl1 nl2))) == tl (append nl1 nl2)); + // assert (snd (splitAt (length nl1 - 1) (tl (append nl1 nl2))) == snd (splitAt (length nl1) (append nl1 nl2))); + lemma_append_splitAt nl1 nl2; + // assert (snd (splitAt (length nl1) (append nl1 nl2)) == nl2); + // assert (Mod.loc_includes (nodelist_fp0 (tl (append nl1 nl2))) (nodelist_fp0 nl2)); + // assert (Mod.loc_disjoint (Mod.loc_buffer (hd nl1)) (nodelist_fp0 (tl (append nl1 nl2)))); + // assert (Mod.loc_disjoint (Mod.loc_buffer (hd nl1)) (nodelist_fp0 nl2)); + // assert (Mod.loc_disjoint (nodelist_fp0 (tl nl1)) (nodelist_fp0 nl2)); + Mod.loc_disjoint_union_r (nodelist_fp0 nl2) (Mod.loc_buffer (hd nl1)) (nodelist_fp0 (tl nl1)); + // assert (Mod.loc_disjoint (Mod.loc_union (Mod.loc_buffer (hd nl1)) (nodelist_fp0 (tl nl1))) (nodelist_fp0 nl2)); + () + +#set-options "--z3rlimit 30" + +let rec nodelist_split_fp0_equiv (#t:Type) (nl1 nl2:nodelist t) : + Lemma + (ensures + ((loc_equiv + (nodelist_fp0 (append nl1 nl2)) + (Mod.loc_union + (nodelist_fp0 nl1) + (nodelist_fp0 nl2))))) = + match nl1 with + | [] -> () + | n :: ns -> + nodelist_split_fp0_equiv ns nl2; + assert (loc_equiv (nodelist_fp0 (append nl1 nl2)) + (Mod.loc_union + (Mod.loc_buffer n) + (Mod.loc_union + (nodelist_fp0 ns) + (nodelist_fp0 nl2)))); // OBSERVE + assert (loc_equiv + (Mod.loc_union + (Mod.loc_buffer n) + (Mod.loc_union + (nodelist_fp0 ns) + (nodelist_fp0 nl2))) + (Mod.loc_union + (Mod.loc_union + (Mod.loc_buffer n) + (nodelist_fp0 ns)) + (nodelist_fp0 nl2))) // OBSERVE + +let rec nodelist_split_aa_l (#t:Type) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_aa_l (append nl1 nl2))) + (ensures (nodelist_aa_l nl1 /\ nodelist_aa_l nl2)) + (decreases (length nl2)) = + match nl2 with + | [] -> append_l_nil nl1 + | _ -> + let nl2', n = unsnoc nl2 in lemma_unsnoc_length nl2; + lemma_unsnoc_append nl1 nl2; + // assert (nodelist_aa_l (append nl1 nl2)); + // assert (nodelist_aa_l (append nl1 nl2')); + nodelist_split_aa_l nl1 nl2'; + // assert (nodelist_aa_l nl2'); + // assert (n == snd (unsnoc (append nl1 nl2))); + // assert (n == snd (unsnoc nl2)); + nodelist_append_fp0 nl1 nl2'; + // assert (Mod.loc_includes (nodelist_fp0 (append nl1 nl2')) (nodelist_fp0 nl2')); + // assert (Mod.loc_disjoint (Mod.loc_buffer n) (nodelist_fp0 nl2')); + // assert (nodelist_aa_l nl2); + () + +#reset-options + +let rec nodelist_split_aa_r (#t:Type) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_aa_r (append nl1 nl2))) + (ensures (nodelist_aa_r nl1 /\ nodelist_aa_r nl2)) = + match nl1 with + | [] -> () + | _ -> + nodelist_split_aa_r (tl nl1) nl2; + nodelist_append_fp0 (tl nl1) nl2 + +let nodelist_split_aa (#t:Type) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_aa (append nl1 nl2))) + (ensures (nodelist_aa nl1 /\ nodelist_aa nl2 /\ + Mod.loc_disjoint (nodelist_fp0 nl1) (nodelist_fp0 nl2))) = + nodelist_split_fp0 nl1 nl2; + nodelist_split_aa_l nl1 nl2; + nodelist_split_aa_r nl1 nl2 + +let rec nodelist_split_conn (#t:Type) (h0:heap) (nl1 nl2:nodelist t) : + Lemma + (requires ( + (nodelist_conn h0 (append nl1 nl2)) /\ + length nl1 > 0 /\ length nl2 > 0)) // For "= 0", it is trivially held + (ensures (nodelist_conn h0 nl1 /\ nodelist_conn h0 nl2 /\ + (last nl1)@h0 |>> (hd nl2) /\ + (last nl1) <<| (hd nl2)@h0)) = + match nl1 with + | [_] -> () + | _ -> nodelist_split_conn h0 (tl nl1) nl2 + +let nodelist_split_valid (#t:Type) (h0:heap) (nl1 nl2:nodelist t) : + Lemma + (requires (nodelist_valid h0 (append nl1 nl2) /\ + length nl1 > 0 /\ length nl2 > 0)) // For "= 0", it is trivially held + (ensures (nodelist_valid h0 nl1 /\ nodelist_valid h0 nl2 /\ + Mod.loc_disjoint (nodelist_fp0 nl1) (nodelist_fp0 nl2) /\ + (last nl1)@h0 |>> (hd nl2) /\ + (last nl1) <<| (hd nl2)@h0)) = + nodelist_split_contained h0 nl1 nl2; + nodelist_split_aa nl1 nl2; + nodelist_split_conn h0 nl1 nl2 + +/// Useful lemma to convert from dll_fp0 or piece_fp0 to nodelist_fp0 +/// and vice-versa + +let dll_fp0_is_nodelist_fp0 (#t:Type) (d:dll t) : Lemma + (requires (dll_ghostly_connections d)) + (ensures + (loc_equiv (dll_fp0 d) (nodelist_fp0 d.nodes))) = + if length d.nodes > 0 then + lemma_unsnoc_is_last d.nodes + else + () + +let piece_fp0_is_nodelist_fp0 (#t:Type) (p:piece t) : Lemma + (requires (piece_ghostly_connections p)) + (ensures + (loc_equiv (piece_fp0 p) (nodelist_fp0 p.pnodes))) = + lemma_unsnoc_is_last (reveal p.pnodes) + +/// Tot dll to fragment, with splitting + +#set-options "--z3rlimit 60 --initial_fuel 8 --initial_ifuel 1" + +let tot_dll_to_fragment_split (#t:Type) (h0:heap) (d:dll t{dll_valid h0 d}) + (n1 n2:pointer (node t)) : + Pure (fragment t) + (requires ( + n1 `memP` d.nodes /\ + n2 `memP` d.nodes /\ + n1@h0 |>> n2 /\ n1 <<| n2@h0)) + (ensures (fun f -> + fragment_valid h0 f /\ + fragment_length f = 2 /\ + loc_equiv (dll_fp0 d) (fragment_fp0 f) /\ + (let Frag2 p1 p2 = f in + reveal d.nodes == reveal p1.pnodes `append` reveal p2.pnodes))) = + let split_nodes = elift2_p split_using d.nodes (hide n2) in + lemma_split_using d.nodes n2; + let l1 = elift1 fst split_nodes in + let l2 = elift1 snd split_nodes in + let p1 = { phead = d.lhead ; ptail = n1 ; pnodes = l1 } in + let p2 = { phead = n2 ; ptail = d.ltail ; pnodes = l2 } in + let f = Frag2 p1 p2 in + dll_fp0_is_nodelist_fp0 d; + // assert (loc_equiv (dll_fp0 d) (nodelist_fp0 (reveal d.nodes))); + nodelist_split_fp0_equiv l1 l2; + nodelist_split_valid h0 l1 l2; + lemma_unsnoc_is_last l1; + lemma_unsnoc_is_last l2; + lemma_unsnoc_is_last (reveal d.nodes); + // assert (piece_ghostly_connections p1); + // assert ( n2 == hd (reveal l2) ); + lemma_append_last l1 l2; + // assert ( last (reveal l2) == last (append (reveal l1) (reveal l2)) ); + // assert ( d.ltail == last (reveal l2) ); + // assert (piece_ghostly_connections p2); + // assert (fragment_ghostly_connections f); + // assert (nodelist_contained h0 (reveal p1.pnodes)); + // assert (nodelist_contained h0 (reveal p2.pnodes)); + extract_nodelist_contained h0 l1 (length l1 - 1); + // assert (h0 `contains` p1.ptail); + // assert (fragment_contained h0 f); + // assert (nodelist_aa (reveal p1.pnodes)); + // assert (nodelist_aa (reveal p2.pnodes)); + piece_fp0_is_nodelist_fp0 p1; + piece_fp0_is_nodelist_fp0 p2; + // assert (loc_equiv (dll_fp0 d) + // (Mod.loc_union (nodelist_fp0 (reveal l1)) (nodelist_fp0 (reveal l2)))); + // assert (loc_equiv (nodelist_fp0 (reveal l1)) (piece_fp0 p1)); + // assert (loc_equiv (nodelist_fp0 (reveal l2)) (piece_fp0 p2)); + // assert (loc_equiv + // (Mod.loc_union (nodelist_fp0 (reveal l1)) (nodelist_fp0 (reveal l2))) + // (Mod.loc_union (piece_fp0 p1) (piece_fp0 p2))); + loc_equiv_trans + (dll_fp0 d) + (Mod.loc_union (nodelist_fp0 l1) (nodelist_fp0 l2)) + (Mod.loc_union (piece_fp0 p1) (piece_fp0 p2)); + // assert (loc_equiv (dll_fp0 d) + // (Mod.loc_union (piece_fp0 p1) (piece_fp0 p2))); + // assert (Mod.loc_disjoint (piece_fp0 p1) (piece_fp0 p2)); + // assert (fragment_aa f); + // assert (nodelist_conn h0 (reveal p1.pnodes)); + // assert (nodelist_conn h0 (reveal p2.pnodes)); + // assert (fragment_conn h0 f); + f + +#reset-options + +/// Creating a dll from a single node. Pure and ST forms of this. + +let tot_node_to_dll (#t:Type) (h0:heap) (n:pointer (node t)) : + Pure (dll t) + (requires ( + (h0 `contains` n) /\ + (((n@h0).flink == null)) /\ + ((n@h0).blink == null))) + (ensures (fun d -> dll_valid h0 d)) = + { lhead = n ; ltail = n ; nodes = ~. n } + +let singleton_dll (#t:Type) (n:pointer (node t)) : + StackInline (dll t) + (requires (fun h0 -> + (h0 `contains` n))) + (ensures (fun h0 d h1 -> + Mod.modifies (Mod.loc_buffer n) h0 h1 /\ + dll_valid h1 d /\ + unchanged_node_vals h0 h1 d.nodes /\ + reveal d.nodes == [n])) = + !=|>> n; + !<<|= n; + tot_node_to_dll (ST.get ()) n + +/// Creating a piece from a single node. + +let tot_node_to_piece (#t:Type) (h0:heap) (n:pointer (node t)) : + Pure (piece t) + (requires ( + (h0 `contains` n))) + (ensures (fun p -> piece_valid h0 p)) = + { phead = n ; ptail = n ; pnodes = ~. n } + +/// Getting the "tail" of a piece + +let tot_piece_tail (#t:Type) (h0:heap) (p:piece t) (n:pointer (node t)) : + Pure (piece t) + (requires ( + (piece_valid h0 p) /\ + (n == (((p.phead)@h0).flink)) /\ + (length p.pnodes > 1))) + (ensures (fun q -> + (piece_valid h0 q) /\ + (reveal q.pnodes) == tl p.pnodes)) = + { phead = n ; ptail = p.ptail ; pnodes = elift1_p (tot_to_gtot tl) p.pnodes } + +/// If a dll is valid, then both the forward and backward links of +/// each of the nodes are contained in the heap, and disjoint from +/// each other + +let lemma_dll_links_contained (#t:Type) (h0:heap) (d:dll t) (i:nat) : + Lemma + (requires ( + (dll_valid h0 d) /\ + (i < length d.nodes))) + (ensures ( + let nodes = d.nodes in + (h0 `contains` (nodes.[i]@h0).flink) /\ + (h0 `contains` (nodes.[i]@h0).blink))) = + let nl = reveal d.nodes in + match nl with + | [_] -> () + | _ -> + (if i = 0 then () else extract_nodelist_conn h0 nl (i-1)); + (if i = length nl - 1 then () else extract_nodelist_conn h0 nl i); + (if i = 0 then () else extract_nodelist_contained h0 nl (i - 1)); + (if i = length nl - 1 then () else extract_nodelist_contained h0 nl (i + 1)); + lemma_unsnoc_is_last nl + +#set-options "--z3rlimit 10 --initial_ifuel 2" + +let lemma_dll_links_disjoint (#t:Type) (h0:heap) (d:dll t) (i:nat) : + Lemma + (requires ( + (dll_valid h0 d) /\ + (i < length d.nodes))) + (ensures ( + let nodes = d.nodes in + let left = (nodes.[i]@h0).blink in + let right = (nodes.[i]@h0).flink in + Mod.loc_disjoint + (Mod.loc_buffer left) + (Mod.loc_buffer right))) = + let nl = reveal d.nodes in + match nl with + | [_] -> () + | _ -> + lemma_unsnoc_length nl; + let node_split = splitAt i nl in + lemma_splitAt nl (fst node_split) (snd node_split) i; + lemma_splitAt_index_hd i nl; + let l1, x :: l2 = node_split in + (if i = 0 then () else extract_nodelist_conn h0 nl (i-1)); + (if i = length nl - 1 then () else extract_nodelist_conn h0 nl i); + (if i = 0 then () else ( + if i = length nl - 1 then (lemma_unsnoc_is_last nl) else ( + lemma_unsnoc_is_last l1; + let left = last l1 in + let right = hd l2 in + lemma_splitAt_reindex_left i nl (length l1 - 1); + // assert (left == (nl.[i]@h0).blink); + lemma_splitAt_reindex_right i nl 1; + // assert (right == (nl.[i]@h0).flink); + nodelist_split_aa l1 (x :: l2); + // assert (Mod.loc_disjoint (nodelist_fp0 l1) (nodelist_fp0 l2)); + assert (Mod.loc_includes (nodelist_fp0 l1) (Mod.loc_buffer left)); // OBSERVE + assert (Mod.loc_includes (nodelist_fp0 l2) (Mod.loc_buffer right)); // OBSERVE + () + ))) + +#reset-options + +/// When something unrelated to a XYZ is changed, the XYZ itself shall +/// remain valid + +let rec nodelist_remains_valid (#t:Type) (h0 h1:heap) (loc:Mod.loc) (nl:nodelist t) : + Lemma + (requires ( + (nodelist_valid h0 nl) /\ + (Mod.modifies loc h0 h1) /\ + (Mod.loc_disjoint loc (nodelist_fp0 nl)))) + (ensures (nodelist_valid h1 nl)) = + match nl with + | [] -> () + | _ -> nodelist_remains_valid h0 h1 loc (tl nl) + +let piece_remains_valid (#t:Type) (h0 h1:heap) (loc:Mod.loc) (p:piece t) : + Lemma + (requires ( + (piece_valid h0 p) /\ + (Mod.modifies loc h0 h1) /\ + (Mod.loc_disjoint loc (piece_fp0 p)))) + (ensures (piece_valid h1 p)) = + nodelist_remains_valid h0 h1 loc p.pnodes + +/// When outward facing pointers of ends of pieces are modified, they +/// still remain valid + +#set-options "--z3rlimit 20" + +let piece_remains_valid_b (#t:Type) (h0 h1:heap) (p:piece t) : + Lemma + (requires ( + (piece_valid h0 p) /\ + (Mod.modifies (Mod.loc_buffer p.phead) h0 h1) /\ + (h1 `contains` p.phead) /\ + (p.phead@h0).flink == (p.phead@h1).flink)) + (ensures (piece_valid h1 p) /\ (p.ptail@h0).flink == (p.ptail@h1).flink) = + let nodes = p.pnodes in + if length nodes > 1 then ( + nodelist_includes_r_fp0 nodes 1 (length nodes - 1); + lemma_unsnoc_is_last nodes; + // assert (p.ptail == nodes.[length nodes - 1]); + // assert (p.ptail@h0 == p.ptail@h1); + // assert (h1 `contains` p.ptail); + // assert (Mod.loc_disjoint (Mod.loc_buffer p.phead) (nodelist_fp0 (tl nodes))); + nodelist_remains_valid h0 h1 (Mod.loc_buffer p.phead) (tl nodes) + ) else () + +let piece_remains_valid_f (#t:Type) (h0 h1:heap) (p:piece t) : + Lemma + (requires ( + (piece_valid h0 p) /\ + (Mod.modifies (Mod.loc_buffer p.ptail) h0 h1) /\ + (h1 `contains` p.ptail) /\ + (p.ptail@h0).blink == (p.ptail@h1).blink)) + (ensures (piece_valid h1 p) /\ (p.phead@h0).blink == (p.phead@h1).blink) = + let nodes = reveal p.pnodes in + if length nodes > 1 then ( + fst_unsnoc_nodelist_valid h0 nodes; + // assert (nodelist_valid h0 (fst (unsnoc nodes))); + lemma_unsnoc_is_last nodes; + // assert (Mod.loc_disjoint (Mod.loc_buffer p.ptail) (nodelist_fp0 (fst (unsnoc nodes)))); + nodelist_remains_valid h0 h1 (Mod.loc_buffer p.ptail) (fst (unsnoc nodes)); + // assert (nodelist_contained h1 (fst (unsnoc nodes))); + // assert (h1 `contains` (snd (unsnoc nodes))); + nodelist_append_contained h1 (fst (unsnoc nodes)) [snd (unsnoc nodes)]; + // assert (nodelist_contained h1 (reveal p.pnodes)); + // assert (piece_contained h1 p); + extract_nodelist_conn h0 nodes (length nodes - 2); + // let nl1 = fst (unsnoc nodes) in + lemma_unsnoc_is_last (fst (unsnoc nodes)); + // assert (last nl1 == nl1.[length nl1 - 1]); + // assert (last nl1 == nl1.[length nodes - 2]); + lemma_unsnoc_index nodes (length nodes - 2); + // assert (last nl1 == nodes.[length nodes - 2]); + // assert ((last (fst (unsnoc nodes)))@h0 |>> (hd [snd (unsnoc nodes)])); + // assert (Mod.loc_disjoint (nodelist_fp0 (fst (unsnoc nodes))) (Mod.loc_buffer p.ptail)); + // assert (Mod.loc_disjoint (Mod.loc_buffer (last (fst (unsnoc nodes)))) (Mod.loc_buffer p.ptail)); + // assert (Mod.modifies (Mod.loc_buffer p.ptail) h0 h1); + extract_nodelist_contained h0 nodes (length nodes - 2); + // assert (h0 `contains` last (fst (unsnoc nodes))); + // assert (Mod.loc_disjoint (nodelist_fp0 (fst (unsnoc nodes))) (Mod.loc_buffer p.ptail)); + assert (Mod.loc_includes (nodelist_fp0 (fst (unsnoc nodes))) (Mod.loc_buffer (last (fst (unsnoc nodes))))); // OBSERVE + // assert (Mod.loc_disjoint (Mod.loc_buffer (last (fst (unsnoc nodes)))) (Mod.loc_buffer p.ptail)); + lemma_snoc_length (unsnoc nodes); + // assert ((last (fst (unsnoc nodes)))@h0 == (last (fst (unsnoc nodes)))@h1); + // assert ((last (fst (unsnoc nodes)))@h1 |>> (hd [snd (unsnoc nodes)])); + // assert ((last (fst (unsnoc nodes))) <<| (hd [snd (unsnoc nodes)])@h1); + nodelist_append_conn h1 (fst (unsnoc nodes)) [snd (unsnoc nodes)]; + // assert (nodelist_conn h1 (reveal p.pnodes)); + // assert (piece_conn h1 p); + // assert ((p.phead@h0).blink == (p.phead@h1).blink); + () + ) else () + +#reset-options + +/// Testing is a node is within a dll or not + +let node_not_in_dll (#t:Type) (h0:heap) (n:pointer (node t)) (d:dll t) = + let m1 = Mod.loc_buffer n in + let m2 = dll_fp0 d in + Mod.loc_disjoint m1 m2 + +/// An empty dll has no nodes + +let _auto_empty_dll (#t:Type) (h0:heap) (d:dll t) : + Lemma + (requires (dll_valid h0 d /\ (d.lhead == null \/ d.ltail == null))) + (ensures (reveal d.nodes == [])) + [SMTPat (dll_valid h0 d); + SMTPat (reveal d.nodes)] = () + +/// Be able to easily reason about unchanged payloads + +let rec aux_unchanged_payload #t h0 h1 n0 (nl:nodelist t) : + Lemma + (requires (Mod.modifies (Mod.loc_buffer n0) h0 h1 /\ + (n0@h0).p == (n0@h1).p /\ + (nodelist_aa_r nl) /\ + (n0 `memP` nl \/ Mod.loc_disjoint (Mod.loc_buffer n0) (nodelist_fp0 nl)) + )) + (ensures (unchanged_node_vals h0 h1 nl)) + (decreases (length nl)) = + match nl with + | [] -> () + | n :: nl' -> + aux_unchanged_payload h0 h1 n0 nl'; + assert (n0 `memP` nl ==> (n == n0 \/ n0 `memP` nl')); + let goal () = unchanged_node_val h0 h1 n in + FStar.Classical.or_elim #_ #_ #goal + (fun (_:unit{n0 `memP` nl}) -> + FStar.Classical.or_elim #_ #_ #goal + (fun (_:unit{n == n0}) -> ()) + (fun (_:unit{n0 `memP` nl'}) -> + let i = nl' `index_of` n0 in + extract_nodelist_fp0 nl' i)) + (fun (_:unit{Mod.loc_disjoint (Mod.loc_buffer n0) (nodelist_fp0 nl)}) -> ()) + +let rec aux_unchanged_payload_nomod #t h0 h1 (nl:nodelist t) : + Lemma + (requires (Mod.modifies Mod.loc_none h0 h1)) + (ensures (unchanged_node_vals h0 h1 nl)) = + match nl with + | [] -> () + | n :: nl' -> + aux_unchanged_payload_nomod h0 h1 nl' + +let rec aux_unchanged_payload_transitive #t h0 h1 h2 (nl:nodelist t) : + Lemma + (requires (unchanged_node_vals h0 h1 nl /\ + unchanged_node_vals h1 h2 nl)) + (ensures (unchanged_node_vals h0 h2 nl)) = + match nl with + | [] -> () + | _ :: nl' -> aux_unchanged_payload_transitive h0 h1 h2 nl' + +let rec aux_unchanged_payload_append #t h0 h1 (nl1 nl2:nodelist t) : + Lemma + (requires (unchanged_node_vals h0 h1 nl1 /\ + unchanged_node_vals h0 h1 nl2)) + (ensures (unchanged_node_vals h0 h1 (nl1 `append` nl2))) = + match nl1 with + | [] -> () + | n :: nl' -> aux_unchanged_payload_append h0 h1 nl' nl2 + +/// Now for the actual ST operations that will be exposed :) + +#set-options "--z3rlimit 500 --max_fuel 2 --max_ifuel 1" + +let dll_insert_at_head (#t:Type) (d:dll t) (n:pointer (node t)) : + StackInline (dll t) + (requires (fun h0 -> + (dll_valid h0 d) /\ + (h0 `contains` n) /\ + (node_not_in_dll h0 n d))) + (ensures (fun h0 y h1 -> + Mod.modifies (Mod.loc_union + (Mod.loc_buffer n) + (Mod.loc_buffer d.lhead)) h0 h1 /\ + dll_valid h1 y /\ + unchanged_node_vals h0 h1 y.nodes /\ + reveal y.nodes == n :: reveal d.nodes)) = + if is_null d.lhead then ( + singleton_dll n + ) else ( + let h = d.lhead in + // + let h0 = ST.get () in + !<<|= n; + n =|>> h; + let h0' = ST.get () in + n <<|= h; + let h1 = ST.get () in + // + aux_unchanged_payload h0 h0' n d.nodes; + aux_unchanged_payload h0' h1 h d.nodes; + aux_unchanged_payload_transitive h0 h0' h1 d.nodes; + // + let Frag1 p1 = tot_dll_to_fragment h0 d in + let p = tot_node_to_piece h0 n in + let f' = Frag2 p p1 in + // assert (fragment_valid h1 [p]); + // assert (fragment_ghostly_connections f); + // assert (length f = 1); + // assert (h1 `contains` (hd f).phead); + piece_remains_valid h0 h0' (Mod.loc_buffer n) p1; + // assert (piece_valid h0' (hd f)); + piece_remains_valid_b h0' h1 p1; + // assert (h1 `contains` (hd f).ptail); + // assert (nodelist_contained h1 (reveal (hd f).pnodes)); + // assert (piece_contained h1 (hd f)); + // assert (fragment_contained h1 f); + // assert (fragment_aa f); + // assert (nodelist_conn h1 (reveal (f.[0]).pnodes)); + // assert (fragment_conn h1 f); + // assert (fragment_valid h1 f); + // assert (fragment_valid h1 f'); + // assert (fragment_defragmentable h1 f'); + // assert (length f' > 0); + // assert (is_null ((hd f').phead@h1).blink); + // assert (is_null ((last f').ptail@h0).flink); + // assert (is_null ((last f').ptail@h0').flink); + // assert (is_null ((last f').ptail@h1).flink); + let y = tot_defragmentable_fragment_to_dll h1 f' in + // assert (dll_valid h1 y); + y + ) + +#reset-options + +#set-options "--z3rlimit 500 --max_fuel 2 --max_ifuel 1" + +let dll_insert_at_tail (#t:Type) (d:dll t) (n:pointer (node t)) : + StackInline (dll t) + (requires (fun h0 -> + (dll_valid h0 d) /\ + (h0 `contains` n) /\ + (node_not_in_dll h0 n d))) + (ensures (fun h0 y h1 -> + Mod.modifies (Mod.loc_union + (Mod.loc_buffer n) + (Mod.loc_buffer d.ltail)) h0 h1 /\ + (dll_fp0 y `loc_equiv` B.loc_union (dll_fp0 d) (Mod.loc_buffer n)) /\ + dll_valid h1 y /\ + unchanged_node_vals h0 h1 y.nodes /\ + reveal y.nodes == snoc (reveal d.nodes, n))) = + if is_null d.lhead then ( + singleton_dll n + ) else ( + let t = d.ltail in + // + let h0 = ST.get () in + !=|>> n; + t <<|= n; + let h0' = ST.get () in + lemma_dll_links_contained h0 d (length d.nodes - 1); + lemma_unsnoc_is_last d.nodes; + // assert (Mod.loc_disjoint (Mod.loc_buffer (t@h0).blink) (Mod.loc_buffer n)); + t =|>> n; + let h1 = ST.get () in + // + let Frag1 p1 = tot_dll_to_fragment h0 d in + let p = tot_node_to_piece h0 n in + let f' = Frag2 p1 p in + piece_remains_valid h0 h0' (Mod.loc_buffer n) p1; + piece_remains_valid_f h0' h1 p1; + let y = tot_defragmentable_fragment_to_dll h1 f' in + lemma_unsnoc_is_last y.nodes; + lemma_snoc_unsnoc (reveal d.nodes, n); + lemma_unsnoc_index y.nodes (length (y.nodes) - 2); + lemma_unsnoc_length y.nodes; + aux_unchanged_payload h0 h0' n y.nodes; + aux_unchanged_payload h0' h1 t y.nodes; + aux_unchanged_payload_transitive h0 h0' h1 y.nodes; + y + ) + +#reset-options + +// let _l_insert_after (x0:'a) (l:list 'a{x0 `memP` l}) (x:'a) : GTot (list 'a) = +// let l1, x1 :: l2 = lemma_split_using l x0; split_using l x0 in +// assert (x0 == x1); +// l1 `append` (x0 :: (x :: l2)) +// +// #set-options "--z3rlimit 1000 --initial_fuel 2 --initial_ifuel 1" +// +// let dll_insert_after (#t:Type) (d:dll t) (e:pointer (node t)) (n:pointer (node t)) : +// StackInline (dll t) +// (requires (fun h0 -> +// (dll_valid h0 d) /\ +// (e `memP` d.nodes) /\ +// (h0 `contains` n) /\ +// (node_not_in_dll h0 n d))) +// (ensures (fun h0 y h1 -> +// Mod.modifies (Mod.loc_union +// (Mod.loc_union +// (Mod.loc_buffer n) +// (Mod.loc_buffer d.ltail)) +// (Mod.loc_union +// (Mod.loc_buffer e) +// (Mod.loc_buffer (e@h0).flink))) h0 h1 /\ +// (dll_fp0 y `loc_equiv` B.loc_union (dll_fp0 d) (Mod.loc_buffer n)) /\ +// dll_valid h1 y /\ +// unchanged_node_vals h0 h1 y.nodes /\ +// reveal y.nodes == _l_insert_after e d.nodes n)) = +// let h0 = ST.get () in +// // assert (length d.nodes > 0); +// lemma_dll_links_contained h0 d (d.nodes `index_of` e); +// extract_nodelist_contained h0 d.nodes (d.nodes `index_of` e); +// let e1 = (!*e).blink in +// let e2 = (!*e).flink in +// if is_null e2 then ( +// let y = dll_insert_at_tail d n in +// assume (reveal y.nodes == _l_insert_after e (reveal d.nodes) n); +// y +// ) else ( +// extract_nodelist_fp0 d.nodes (d.nodes `index_of` e); +// lemma_unsnoc_is_last d.nodes; +// extract_nodelist_conn h0 d.nodes (d.nodes `index_of` e); +// extract_nodelist_fp0 d.nodes (d.nodes `index_of` e + 1); +// if not (is_null e1) then ( +// extract_nodelist_conn h0 d.nodes (d.nodes `index_of` e - 1); +// extract_nodelist_fp0 d.nodes (d.nodes `index_of` e - 1) +// ) else (); +// e <<|= n; +// // let h' = ST.get () in assert (h' `contains` e2); assert (Mod.loc_disjoint (Mod.loc_buffer n) (Mod.loc_buffer e2)); +// n =|>> e2; +// let h0' = ST.get () in +// // assert (is_not_null e1 ==> e1 == (reveal d.nodes).[reveal d.nodes `index_of` e - 1]); +// // assert (is_not_null e1 ==> Mod.loc_includes (nodelist_fp0 (reveal d.nodes)) (Mod.loc_buffer e1)); +// // assert (is_not_null e1 ==> Mod.loc_disjoint (Mod.loc_buffer n) (Mod.loc_buffer e1)); +// // assert (Mod.loc_disjoint (Mod.loc_buffer n) (Mod.loc_buffer e1)); +// Mod.modifies_buffer_elim e1 (Mod.loc_buffer n) h0 h0'; +// e =|>> n; +// let h0'' = ST.get () in +// // assert (h0 `contains` e2); +// // assert (h0' `contains` e2); +// // assert (e2 == (reveal d.nodes).[reveal d.nodes `index_of` e + 1]); +// extract_nodelist_aa_r d.nodes (d.nodes `index_of` e); +// lemma_split3_r_hd d.nodes (d.nodes `index_of` e); +// lemma_split3_append d.nodes (d.nodes `index_of` e); +// lemma_split3_index d.nodes (d.nodes `index_of` e); +// lemma_split3_length d.nodes (d.nodes `index_of` e); +// // assert (Mod.loc_includes (nodelist_fp0 (reveal d.nodes)) (nodelist_fp0 (let _,_,z = split3 (reveal d.nodes) (reveal d.nodes `index_of` e) in z))); +// // assert (Mod.loc_includes (nodelist_fp0 (let _,_,z = split3 (reveal d.nodes) (reveal d.nodes `index_of` e) in z)) (Mod.loc_buffer e2)); +// // assert (Mod.loc_disjoint (Mod.loc_buffer e2) (Mod.loc_buffer e)); +// // assert (Mod.modifies (Mod.loc_buffer e) h0' h0''); +// Mod.modifies_buffer_elim e2 (Mod.loc_buffer e) h0' h0''; +// // assert (h0'' `contains` e2); +// n <<|= e2; +// let h1 = ST.get () in +// // +// // assert (e `memP` reveal d.nodes); +// // assert (e2 `memP` reveal d.nodes); +// // assert (e@h0 |>> e2 /\ e <<| e2@h0); +// let f = tot_dll_to_fragment_split h0 d e e2 in +// // assert (length f = 2); +// let Frag2 p1 p3 = f in +// // assert ([p1 ; p3] == f); +// let p2 = tot_node_to_piece h0 n in +// let f' = Frag3 p1 p2 p3 in +// // assert (Mod.modifies (Mod.loc_buffer n) h0 h0'); +// // assert (piece_valid h0 p1); +// // assert (loc_equiv (dll_fp0 d) (fragment_fp0 f)); +// // assert (Mod.loc_disjoint (Mod.loc_buffer n) (dll_fp0 d)); +// // assert (Mod.loc_includes (dll_fp0 d) (fragment_fp0 f)); +// // assert (Mod.loc_includes (fragment_fp0 f) (piece_fp0 p1)); +// Mod.loc_includes_trans (dll_fp0 d) (fragment_fp0 f) (piece_fp0 p1); +// // assert (Mod.loc_includes (dll_fp0 d) (piece_fp0 p1)); +// // assert (Mod.loc_disjoint (Mod.loc_buffer n) (piece_fp0 p1)); +// piece_remains_valid h0 h0' (Mod.loc_buffer n) p1; +// // assert (piece_valid h0 p3); +// Mod.loc_includes_trans (dll_fp0 d) (fragment_fp0 f) (piece_fp0 p3); +// // assert (Mod.loc_disjoint (Mod.loc_buffer n) (piece_fp0 p3)); +// piece_remains_valid h0 h0' (Mod.loc_buffer n) p3; +// piece_remains_valid_f h0' h0'' p1; +// // assert (Mod.loc_disjoint (piece_fp0 p1) (piece_fp0 p3)); +// piece_remains_valid h0' h0'' (piece_fp0 p1) p3; +// piece_remains_valid h0'' h1 (piece_fp0 p3) p1; +// piece_remains_valid_b h0'' h1 p3; +// // assert ([p2 ; p3] == append [p2] [p3]); +// // assert (f' == append [p1] [p2 ; p3]); +// // +// // assert (fragment_valid h1 f'); +// assert (fragment_defragmentable h1 (Frag2 p2 p3)); // OBSERVE +// // assert (fragment_defragmentable h1 f'); +// // assert (length f' > 0); +// // assert (is_null ((hd f').phead@h1).blink); +// // lemma_unsnoc_is_last f'; +// // assert (last f' == p3); +// // assert (is_null ((last f').ptail@h1).flink); +// let y = tot_defragmentable_fragment_to_dll h1 f' in +// assume (n `memP` y.nodes); +// assume (e `memP` y.nodes); +// assume (e2 `memP` y.nodes); +// aux_unchanged_payload h0 h0' n y.nodes; +// aux_unchanged_payload h0' h0'' e y.nodes; +// aux_unchanged_payload h0'' h1 e2 y.nodes; +// aux_unchanged_payload_transitive h0 h0' h0'' y.nodes; +// aux_unchanged_payload_transitive h0 h0'' h1 y.nodes; +// assume (reveal y.nodes == _l_insert_after e (reveal d.nodes) n); +// y +// ) +// +// #reset-options + +// let _l_insert_before (x0:'a) (l:list 'a{x0 `memP` l}) (x:'a) : GTot (list 'a) = +// let l1, l2 = split_using l x0 in +// l1 `append` (x :: l2) +// +// #set-options "--z3rlimit 50" +// +// let dll_insert_before (#t:Type) (d:dll t) (e:pointer (node t)) (n:pointer (node t)) : +// StackInline (dll t) +// (requires (fun h0 -> +// (dll_valid h0 d) /\ +// (e `memP` d.nodes) /\ +// (h0 `contains` n) /\ +// (node_not_in_dll h0 n d))) +// (ensures (fun h0 y h1 -> +// Mod.modifies (Mod.loc_union +// (Mod.loc_buffer d.lhead) +// (Mod.loc_union +// (Mod.loc_union +// (Mod.loc_buffer n) +// (Mod.loc_buffer d.ltail)) // this is needed due to using "after" +// // TODO: Figure out a way to remove it +// (Mod.loc_union +// (Mod.loc_buffer (e@h0).blink) +// (Mod.loc_buffer e)))) h0 h1 /\ +// (dll_fp0 y `loc_equiv` B.loc_union (dll_fp0 d) (Mod.loc_buffer n)) /\ +// dll_valid h1 y /\ +// unchanged_node_vals h0 h1 y.nodes /\ +// reveal y.nodes == _l_insert_before e d.nodes n)) = +// let h0 = ST.get () in +// extract_nodelist_contained h0 d.nodes (d.nodes `index_of` e); +// let e1 = (!*e).blink in +// lemma_dll_links_contained h0 d (d.nodes `index_of` e); +// if is_null e1 then ( +// let y = dll_insert_at_head d n in +// assume (reveal y.nodes == _l_insert_before e d.nodes n); +// y +// ) else ( +// extract_nodelist_conn h0 d.nodes (d.nodes `index_of` e - 1); +// let y = dll_insert_after d e1 n in +// assume (reveal y.nodes == _l_insert_before e (reveal d.nodes) n); +// y +// ) +// +// #reset-options + +unfold +let _aux_fp_split_by_node (d0 d1:dll 'a) (n:pointer (node 'a)) = + dll_fp0 d0 `loc_equiv` B.loc_union (dll_fp0 d1) (Mod.loc_buffer n) /\ + dll_fp0 d1 `B.loc_disjoint` Mod.loc_buffer n + +#set-options "--z3rlimit 20" + +let dll_remove_head (#t:Type) (d:dll t) : + StackInline (dll t) + (requires (fun h0 -> + (dll_valid h0 d) /\ + (length d.nodes > 0))) + (ensures (fun h0 y h1 -> + Mod.modifies (Mod.loc_buffer (d.lhead@h0).flink) h0 h1 /\ + _aux_fp_split_by_node d y d.lhead /\ + dll_valid h1 y /\ + unchanged_node_vals h0 h1 d.nodes /\ + reveal y.nodes == tl d.nodes)) = + let h0 = ST.get () in + let e = d.lhead in + let e2 = (!*e).flink in + if is_null e2 then ( + empty_list + ) else ( + !<<|= e2; + let h1 = ST.get () in + let f = tot_dll_to_fragment_split h0 d e e2 in + let Frag2 p1 p2 = f in + // assert (p1.phead == e); + // assert (p1.ptail == e); + let f' = Frag1 p2 in + piece_remains_valid_b h0 h1 p2; + let y = tot_defragmentable_fragment_to_dll h1 f' in + aux_unchanged_payload h0 h1 e2 d.nodes; + y + ) + +#reset-options + +let rec _lemma_only_head_can_point_left_to_null (#t:Type) (h0:heap) (e:pointer (node t)) (l:nodelist t) : + Lemma + (requires (e `memP` l /\ (e@h0).blink == null /\ nodelist_conn h0 l)) + (ensures (e == hd l)) = + match l with + | [_] -> () + | _ -> + FStar.Classical.or_elim #(e == hd l) #(e =!= hd l) #(fun () -> e == hd l) + (fun _ -> ()) + (fun _ -> + _lemma_only_head_can_point_left_to_null h0 e (tl l); + extract_nodelist_conn h0 l 0) + +let rec _lemma_only_tail_can_point_right_to_null (#t:Type) (h0:heap) (e:pointer (node t)) (l:nodelist t) : + Lemma + (requires (e `memP` l /\ (e@h0).flink == null /\ nodelist_conn h0 l)) + (ensures (e == last l)) = + match l with + | [_] -> () + | _ -> _lemma_only_tail_can_point_right_to_null h0 e (tl l) + +let rec _lemma_all_nodes_are_unique (#t:Type) (h0:heap) (l:nodelist t) (i j:nat) : + Lemma + (requires ( + (nodelist_conn h0 l) /\ + (i < length l) /\ + (j < length l) /\ + (((hd l)@h0).blink == null) /\ + (index l i == index l j))) + (ensures (i = j)) = + match i, j with + | 0, 0 -> () + | 0, _ -> extract_nodelist_conn h0 l (j - 1) + | _, 0 -> extract_nodelist_conn h0 l (i - 1) + | _ -> + extract_nodelist_conn h0 l (i - 1); + extract_nodelist_conn h0 l (j - 1); + _lemma_all_nodes_are_unique h0 l (i - 1) (j - 1) + +#set-options "--z3rlimit 50" + +let dll_remove_tail (#t:Type) (d:dll t) : + StackInline (dll t) + (requires (fun h0 -> + (dll_valid h0 d) /\ + (length d.nodes > 0))) + (ensures (fun h0 y h1 -> + Mod.modifies (Mod.loc_buffer (d.ltail@h0).blink) h0 h1 /\ + _aux_fp_split_by_node d y d.ltail /\ + dll_valid h1 y /\ + unchanged_node_vals h0 h1 d.nodes /\ + reveal y.nodes == fst (unsnoc (reveal d.nodes)))) = + let h0 = ST.get () in + let e = d.ltail in + let e1 = (!*e).blink in + lemma_dll_links_contained h0 d (length d.nodes - 1); + lemma_unsnoc_is_last d.nodes; + if is_null e1 then ( + _lemma_only_head_can_point_left_to_null h0 e d.nodes; + empty_list + ) else ( + extract_nodelist_contained h0 d.nodes (length (d.nodes) - 2); + extract_nodelist_conn h0 d.nodes (length (d.nodes) - 2); + // assert (e == (reveal d.nodes).[length (reveal d.nodes) - 1]); + // assert (e1 == (reveal d.nodes).[length (reveal d.nodes) - 2]); + !=|>> e1; + let h1 = ST.get () in + let f = tot_dll_to_fragment_split h0 d e1 e in + let Frag2 p1 p2 = f in + lemma_snoc_length (reveal p1.pnodes, e); + // assert (reveal p1.pnodes == fst (unsnoc (reveal d.nodes))); + let f' = Frag1 p1 in + piece_remains_valid_f h0 h1 p1; + let y = tot_defragmentable_fragment_to_dll h1 f' in + aux_unchanged_payload h0 h1 e1 (d.nodes); + // assert (reveal y.nodes == reveal p1.pnodes); + y + ) + +#reset-options + +// let _l_remove_mid (l:list 'a{length l > 0}) (x:'a {x `memP` l}) : GTot (list 'a) = +// let l1, x0 :: l2 = lemma_split_using l x; split_using l x in +// assert (x == x0); +// l1 `append` l2 +// +// #set-options "--z3rlimit 400 --initial_fuel 2 --initial_ifuel 2" +// +// let dll_remove_node (#t:Type) (d:dll t) (e:pointer (node t)) : +// StackInline (dll t) +// (requires (fun h0 -> +// (dll_valid h0 d) /\ +// (e `memP` d.nodes))) +// (ensures (fun h0 y h1 -> +// Mod.modifies (Mod.loc_union +// (Mod.loc_union +// (Mod.loc_buffer (d.lhead@h0).flink) +// (Mod.loc_buffer (d.ltail@h0).blink)) +// (Mod.loc_union +// (Mod.loc_buffer (e@h0).blink) +// (Mod.loc_buffer (e@h0).flink))) h0 h1 /\ +// _aux_fp_split_by_node d y e /\ +// dll_valid h1 y /\ +// unchanged_node_vals h0 h1 d.nodes /\ +// reveal y.nodes == _l_remove_mid d.nodes e)) = +// let h0 = ST.get () in +// extract_nodelist_contained h0 d.nodes (d.nodes `index_of` e); +// let e1 = (!*e).blink in +// let e2 = (!*e).flink in +// lemma_dll_links_contained h0 d (d.nodes `index_of` e); +// if is_null e1 then ( +// _lemma_only_head_can_point_left_to_null h0 e d.nodes; +// dll_remove_head d +// ) else if is_null e2 then ( +// _lemma_only_tail_can_point_right_to_null h0 e d.nodes; +// let y = dll_remove_tail d in +// let h1 = ST.get () in +// // assume (unchanged_node_vals h0 h1 (reveal d.nodes)); +// assume (reveal y.nodes == _l_remove_mid d.nodes e); +// y +// ) else ( +// admit (); +// lemma_dll_links_contained h0 d (d.nodes `index_of` e); +// extract_nodelist_conn h0 d.nodes (d.nodes `index_of` e - 1); +// extract_nodelist_aa_r d.nodes (d.nodes `index_of` e - 1); +// extract_nodelist_fp0 d.nodes (d.nodes `index_of` e); +// lemma_dll_links_disjoint h0 d (d.nodes `index_of` e); +// e1 =|>> e2; +// let h0' = ST.get () in +// e1 <<|= e2; +// let h1 = ST.get () in +// // assert (e1 == (reveal d.nodes).[reveal d.nodes `index_of` e - 1]); +// // assert (e1 `memP` reveal d.nodes); +// // assert (e1@h0 |>> e); +// let f = tot_dll_to_fragment_split h0 d e1 e in +// let Frag2 p1 p2 = f in +// let p2' = tot_piece_tail h0 p2 e2 in +// let f' = Frag2 p1 p2' in +// piece_remains_valid_f h0 h0' p1; +// piece_remains_valid h0' h1 (Mod.loc_buffer e2) p1; +// piece_remains_valid h0 h0' (Mod.loc_buffer e1) p2'; +// piece_remains_valid_b h0' h1 p2'; +// let y = tot_defragmentable_fragment_to_dll h1 f' in +// // assert (dll_valid h1 y); +// assume (_aux_fp_split_by_node d y e); +// assume (unchanged_node_vals h0 h1 d.nodes); +// assume (reveal y.nodes == _l_remove_mid d.nodes e); +// y +// ) +// +// #reset-options + +#set-options "--z3rlimit 10 --max_fuel 2 --max_ifuel 1" + +let dll_append (#t:Type) (d1 d2:dll t) : + StackInline (dll t) + (requires (fun h0 -> + (dll_valid h0 d1) /\ + (dll_valid h0 d2) /\ + (dll_fp0 d1 `Mod.loc_disjoint` dll_fp0 d2))) + (ensures (fun h0 y h1 -> + Mod.modifies (Mod.loc_union + (Mod.loc_buffer d1.ltail) + (Mod.loc_buffer d2.lhead)) h0 h1 /\ + dll_fp0 y `loc_equiv` (dll_fp0 d1 `B.loc_union` dll_fp0 d2) /\ + dll_valid h1 y /\ + unchanged_node_vals h0 h1 y.nodes /\ + reveal y.nodes == d1.nodes `append` d2.nodes)) = + let h0 = ST.get () in + if is_null d1.lhead then ( + let y = d2 in + let h1 = ST.get () in + aux_unchanged_payload_nomod h0 h1 y.nodes; + y + ) else ( + if is_null d2.lhead then ( + let y = d1 in + let h1 = ST.get () in + aux_unchanged_payload_nomod h0 h1 y.nodes; + append_l_nil y.nodes; + y + ) else ( + let n1 = d1.ltail in + let n2 = d2.lhead in + n1 =|>> n2; + let h0' = ST.get () in + n1 <<|= n2; + let h1 = ST.get () in + // + let p1 = tot_dll_to_piece h0 d1 in + let p2 = tot_dll_to_piece h0 d2 in + let f' = Frag2 p1 p2 in + piece_remains_valid_f h0 h0' p1; + piece_remains_valid h0 h0' (Mod.loc_buffer n1) p2; + piece_remains_valid h0' h1 (Mod.loc_buffer n2) p1; + piece_remains_valid_b h0' h1 p2; + let y = tot_defragmentable_fragment_to_dll h1 f' in + lemma_unsnoc_is_last d1.nodes; + aux_unchanged_payload h0 h0' n1 d1.nodes; + aux_unchanged_payload h0 h0' n1 d2.nodes; + aux_unchanged_payload h0' h1 n2 d1.nodes; + aux_unchanged_payload h0' h1 n2 d2.nodes; + aux_unchanged_payload_transitive h0 h0' h1 d1.nodes; + aux_unchanged_payload_transitive h0 h0' h1 d2.nodes; + aux_unchanged_payload_append h0 h1 d1.nodes d2.nodes; + y + ) + ) + +#reset-options + +// #set-options "--z3rlimit 40 --max_fuel 2 --max_ifuel 1" +// +// let dll_split_using (#t:Type) (d:dll t) (e:pointer (node t)) : +// StackInline (dll t * dll t) +// (requires (fun h0 -> +// (dll_valid h0 d) /\ +// (e `memP` d.nodes))) +// (ensures (fun h0 (y1, y2) h1 -> +// Mod.modifies (Mod.loc_union +// (Mod.loc_union +// (Mod.loc_buffer (d.lhead@h0).flink) +// (Mod.loc_buffer (d.ltail@h0).blink)) +// (Mod.loc_union +// (Mod.loc_buffer (e@h0).blink) +// (Mod.loc_buffer e))) h0 h1 /\ +// dll_valid h1 y1 /\ +// dll_valid h1 y2 /\ +// dll_fp0 d `loc_equiv` (dll_fp0 y1 `Mod.loc_union` dll_fp0 y2) /\ +// dll_fp0 y1 `Mod.loc_disjoint` dll_fp0 y2 /\ +// unchanged_node_vals h0 h1 d.nodes /\ +// (reveal y1.nodes, reveal y2.nodes) == split_using d.nodes e)) = +// let h0 = ST.get () in +// extract_nodelist_contained h0 d.nodes (d.nodes `index_of` e); +// let e1 = (!*e).blink in +// lemma_dll_links_contained h0 d (d.nodes `index_of` e); +// if is_null e1 then ( +// let d1, d2 = empty_list, d in +// let h1 = ST.get () in +// aux_unchanged_payload_nomod h0 h1 d.nodes; +// _lemma_only_head_can_point_left_to_null h0 e d.nodes; +// d1, d2 +// ) else ( +// lemma_dll_links_contained h0 d (d.nodes `index_of` e); +// extract_nodelist_conn h0 d.nodes (d.nodes `index_of` e - 1); +// !=|>> e1; +// let h0' = ST.get () in +// !<<|= e; +// let h1 = ST.get () in +// // +// let Frag2 p1 p2 = tot_dll_to_fragment_split h0 d e1 e in +// lemma_unsnoc_is_last p1.pnodes; +// piece_remains_valid_f h0 h0' p1; +// piece_remains_valid h0 h0' (Mod.loc_buffer e1) p2; +// piece_remains_valid h0' h1 (Mod.loc_buffer e) p1; +// piece_remains_valid_b h0' h1 p2; +// let d1 = tot_piece_to_dll h1 p1 in +// let d2 = tot_piece_to_dll h1 p2 in +// aux_unchanged_payload h0 h0' e1 d.nodes; +// aux_unchanged_payload h0' h1 e d.nodes; +// aux_unchanged_payload_transitive h0 h0' h1 d.nodes; +// d1, d2 +// ) +// +// #reset-options diff --git a/milli/doubly-linked-list/FstarlowstarIface.fst b/milli/doubly-linked-list/FstarlowstarIface.fst new file mode 100644 index 0000000..a2a372b --- /dev/null +++ b/milli/doubly-linked-list/FstarlowstarIface.fst @@ -0,0 +1,1042 @@ +// From https://github.com/FStarLang/FStar/blob/master/examples/doublylinkedlist/DoublyLinkedListIface.fst + +(* + Copyright 2008-2019 Microsoft Research + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*) + +module FstarlowstarIface + +/// This module consists of proofs / code for the iface that is +/// written in the actual fsti. Most of this code will never be user +/// facing, and will soon be merged into the DoublyLinkedList module, +/// as I work on moving stuff into DoublyLinkedList.fsti from the iface +/// fsti. + +module DLL = Fstarlowstar + +module HS = FStar.HyperStack +module HST = FStar.HyperStack.ST +module G = FStar.Ghost +module L = FStar.List.Pure +module B = LowStar.Buffer + +open LowStar.BufferOps + +/// Convenience operators + +unfold let (@) (a:B.pointer 't) (h0:HS.mem) = B.get h0 a 0 +unfold let (^@) (a:B.pointer_or_null 't{a =!= B.null}) (h0:HS.mem) = B.get h0 a 0 + +/// Abstract types defined by this library +/// +/// Note: Somehow confusingly, a node in the iface is a pointer to a +/// real node, and a dll in the iface is a pointer to a real +/// dll. Fortunately though, most users of the library will never even +/// be looking inside the implementation, and thus hopefully it won't +/// be confusing. + +let node a = B.pointer (DLL.node a) +let dll a = B.pointer (DLL.dll a) + +/// Abstract Validity Predicates + +let node_valid h n = True /\ B.live h n // XXX: why do I need the True here? + +let dll_valid h d = + B.live h d /\ + DLL.dll_valid h (d@h) /\ + B.loc_buffer d `B.loc_disjoint` DLL.dll_fp0 (d@h) + +/// Abstract node and list footprints + +let fp_node n = B.loc_buffer n + +let fp_dll h d = + B.loc_union (B.loc_buffer d) (DLL.dll_fp0 (d@h)) + +/// Getters and setters for [node]s + +let g_node_val h n = + (n@h).DLL.p + +let node_val n = + (!*n).DLL.p + +let node_of v = + B.alloca (DLL.empty_node v) 1ul + +/// Abstract Predicate to help "recall" that updating the payload +/// leaves connections unchanged + +let unchanged_node_connections h0 h1 n = + (n@h0).DLL.flink == (n@h1).DLL.flink /\ + (n@h0).DLL.blink == (n@h1).DLL.blink + +/// Be able to modify the payload of a node easily, without affecting +/// membership + +let node_update n v = + n *= { !*n with DLL.p = v } + +/// Abstract Predicate to help "recall" that [g_node_val] remains +/// unchanged for nodes, across multiple [mem]s + +let unchanged_node_val (h0 h1:HS.mem) (n:node 'a) : GTot prop = + (B.live h0 n ==> + (g_node_val h0 n == g_node_val h1 n /\ B.live h1 n)) + +let rec unchanged_node_vals (h0 h1:HS.mem) (ns:list (node 'a)) : GTot prop = + match ns with + | [] -> True + | n :: ns' -> unchanged_node_val h0 h1 n /\ unchanged_node_vals h0 h1 ns' + +/// Viewing ghostly state of a list + +let as_list h d = + (d@h).DLL.nodes + +/// Creating an empty DoublyLinkedList, and quickly accessing the head +/// and tail of a DoublyLinkedList + +let dll_new () = + B.alloca DLL.empty_list 1ul + +let is_empty d = + B.is_null (!*d).DLL.lhead + +let dll_head d = + (!*d).DLL.lhead + +let dll_tail d = + let h0 = HST.get () in + L.lemma_unsnoc_is_last (as_list h0 d); + (!*d).DLL.ltail + +/// Useful auxiliary lemmas + +(** If a node is inside a valid list, then the node is valid. *) +val lemma_node_in_valid_dll_is_valid (h:HS.mem) (d:dll 'a) (n:node 'a) : + Lemma + (requires (dll_valid h d /\ n `L.memP` as_list h d)) + (ensures (node_valid h n)) +let lemma_node_in_valid_dll_is_valid h d n = + let pos = L.index_of (as_list h d) n in + DLL.extract_nodelist_contained h (as_list h d) pos + +(** Aux lemma *) +val _lemma_nodelist_contained_in_unmodified_mem (h0 h1:HS.mem) (s:B.loc) (nl:list (node 'a)) : + Lemma + (requires (B.modifies s h0 h1 /\ + B.loc_disjoint s (DLL.nodelist_fp0 nl) /\ + (DLL.nodelist_contained0 h0 nl))) + (ensures (DLL.nodelist_contained0 h1 nl)) +let rec _lemma_nodelist_contained_in_unmodified_mem h0 h1 s nl = + match nl with + | [] -> () + | n :: ns -> + _lemma_nodelist_contained_in_unmodified_mem h0 h1 s ns + +(** Aux lemma *) +val _lemma_nodelist_conn_in_unmodified_mem (h0 h1:HS.mem) (s:B.loc) (nl:list (node 'a)) : + Lemma + (requires (B.modifies s h0 h1 /\ + B.loc_disjoint s (DLL.nodelist_fp0 nl) /\ + DLL.nodelist_contained0 h0 nl /\ + (DLL.nodelist_conn h0 nl))) + (ensures (DLL.nodelist_conn h1 nl)) +let rec _lemma_nodelist_conn_in_unmodified_mem h0 h1 s nl = + match nl with + | [] -> () + | n1 :: rest -> match rest with + | [] -> () + | n2 :: ns -> + _lemma_nodelist_conn_in_unmodified_mem h0 h1 s rest + +(** Aux lemma *) +val _lemma_nodelist_disjoint_in_push (h0 h1:HS.mem) (nl:list (node 'a)) : + Lemma + (requires (HS.fresh_frame h0 h1 /\ + DLL.nodelist_contained0 h0 nl)) + (ensures (DLL.nodelist_fp0 nl `B.loc_disjoint` (B.loc_region_only false (HS.get_tip h1)))) +let rec _lemma_nodelist_disjoint_in_push h0 h1 nl = + match nl with + | [] -> () + | n :: ns -> + _lemma_nodelist_disjoint_in_push h0 h1 ns + +(** If a new frame is pushed, then a dll remains valid and unchanged. *) +val _auto_dll_valid_and_unchanged_through_push (h0 h1:HS.mem) (d:dll 'a) : + Lemma + (requires (dll_valid h0 d /\ HS.fresh_frame h0 h1)) + (ensures (dll_valid h1 d /\ d@h0 == d@h1)) + [SMTPat (dll_valid h0 d); + SMTPat (HS.fresh_frame h0 h1)] +let _auto_dll_valid_and_unchanged_through_push h0 h1 d = + B.fresh_frame_modifies h0 h1; + _lemma_nodelist_contained_in_unmodified_mem h0 h1 B.loc_none (as_list h1 d); + _lemma_nodelist_conn_in_unmodified_mem h0 h1 B.loc_none (as_list h1 d) + +(** If a frame is popped, then a dll remains valid and unchanged. *) +val _lemma_dll_valid_and_unchanged_through_pop (h0 h1:HS.mem) (d:dll 'a) : + Lemma + (requires (dll_valid h0 d /\ HS.popped h0 h1 /\ + B.loc_disjoint (fp_dll h0 d) (B.loc_region_only false (HS.get_tip h0)))) + (ensures (dll_valid h1 d /\ d@h0 == d@h1)) +let _lemma_dll_valid_and_unchanged_through_pop h0 h1 d = + B.popped_modifies h0 h1; + assert (B.loc_region_only false (HS.get_tip h0) `B.loc_includes` + B.loc_region_only false (HS.get_tip h0)); // OBSERVE + let loc = B.loc_region_only false (HS.get_tip h0) in + _lemma_nodelist_contained_in_unmodified_mem h0 h1 loc (as_list h1 d); + _lemma_nodelist_conn_in_unmodified_mem h0 h1 loc (as_list h1 d) + +(** If stack discipline is followed, then a valid modification inside + a push-pop pair is also valid outside of it. *) +val _auto_dll_modified_with_push_pop (h0 h1:HS.mem) (d:dll 'a) (h2 h3:HS.mem) : + Lemma + (requires (dll_valid h0 d /\ + HS.fresh_frame h0 h1 /\ + B.modifies (B.loc_union (fp_dll h0 d) (fp_dll h3 d)) h1 h2 /\ + B.loc_disjoint (fp_dll h0 d) (B.loc_region_only false (HS.get_tip h2)) /\ + B.loc_disjoint (fp_dll h3 d) (B.loc_region_only false (HS.get_tip h2)) /\ + HS.get_tip h1 == HS.get_tip h2 /\ + dll_valid h2 d /\ + HS.popped h2 h3)) + (ensures (dll_valid h3 d)) + [SMTPat (HS.fresh_frame h0 h1); + SMTPat (HS.popped h2 h3); + SMTPat (dll_valid h3 d)] +let _auto_dll_modified_with_push_pop h0 h1 d h2 h3 = + let loc = B.loc_region_only false (HS.get_tip h2) in + B.popped_modifies h2 h3; + _lemma_nodelist_contained_in_unmodified_mem h2 h3 loc (as_list h3 d); + _lemma_nodelist_conn_in_unmodified_mem h2 h3 loc (as_list h3 d) + +(** If a new frame is pushed, the the dll's fp is disjoint from what just got pushed. *) +val _auto_dll_fp_disjoint_from_push (h0 h1:HS.mem) (d:dll 'a) : + Lemma + (requires (dll_valid h0 d /\ HS.fresh_frame h0 h1)) + (ensures (B.loc_disjoint (fp_dll h0 d) (B.loc_region_only false (HS.get_tip h1)))) + [SMTPat (dll_valid h0 d); + SMTPat (HS.fresh_frame h0 h1)] +let _auto_dll_fp_disjoint_from_push h0 h1 d = + _lemma_nodelist_disjoint_in_push h0 h1 (d@h0).DLL.nodes + +(** If a valid dll is placed into a pointer, it stays valid *) +val _auto_dll_assign_valid_stays_valid (h0 h1:HS.mem) (d:dll 'a) (d2:DLL.dll 'a) : + Lemma + (requires (DLL.dll_valid h0 d2 /\ + B.modifies (B.loc_buffer d) h0 h1 /\ + B.loc_buffer d `B.loc_disjoint` DLL.dll_fp0 d2 /\ + B.live h0 d /\ + d@h1 == d2)) + (ensures (dll_valid h1 d)) + [SMTPat (DLL.dll_valid h0 d2); + SMTPat (B.modifies (B.loc_buffer d) h0 h1); + SMTPat (dll_valid h1 d)] +let _auto_dll_assign_valid_stays_valid h0 h1 d d2 = + _lemma_nodelist_conn_in_unmodified_mem h0 h1 (B.loc_buffer d) d2.DLL.nodes; + _lemma_nodelist_contained_in_unmodified_mem h0 h1 (B.loc_buffer d) d2.DLL.nodes + +(** [unchanged_node_vals] is transitive *) +let rec _lemma_unchanged_node_vals_transitive (h0 h1 h2:HS.mem) (ns:list (node 'a)) : + Lemma + (requires ( + (unchanged_node_vals h0 h1 ns) /\ + (unchanged_node_vals h1 h2 ns))) + (ensures ( + (unchanged_node_vals h0 h2 ns))) = + match ns with + | [] -> () + | _ :: ns' -> _lemma_unchanged_node_vals_transitive h0 h1 h2 ns' + +(** Auxiliary predicate: node list is disjoint from region *) +let rec _pred_nl_disjoint (h:HS.mem) (ns:list (node 'a)) = + DLL.nodelist_fp0 ns `B.loc_disjoint` B.loc_region_only false (HS.get_tip h) + +(** If [unchanged_node_vals] is true, then it remains true through a push-pop. *) +val _auto_unchanged_node_vals_through_push_pop (h0 h1:HS.mem) (ns:list (node 'a)) (h2 h3:HS.mem) : + Lemma + (requires (unchanged_node_vals h1 h2 ns /\ + HS.fresh_frame h0 h1 /\ HS.popped h2 h3 /\ + _pred_nl_disjoint h1 ns /\ + HS.get_tip h1 == HS.get_tip h2)) + (ensures ( + unchanged_node_vals h0 h1 ns /\ // used only for proof. not necessary outside + unchanged_node_vals h2 h3 ns /\ // used only for proof. not necessary outside + unchanged_node_vals h0 h3 ns)) + [SMTPat (unchanged_node_vals h0 h3 ns); + SMTPat (HS.fresh_frame h0 h1); + SMTPat (HS.popped h2 h3)] +let rec _auto_unchanged_node_vals_through_push_pop h0 h1 ns h2 h3 = + match ns with + | [] -> () + | n :: ns' -> + _auto_unchanged_node_vals_through_push_pop h0 h1 ns' h2 h3; + // assert (unchanged_node_vals h0 h1 ns); + // assert (unchanged_node_vals h2 h3 ns); + B.popped_modifies h2 h3 + +(** If a valid dll has a frame pushed, [_pred_nl_disjoint] stays true *) +val _auto_pred_nl_disjoint_push (h0 h1:HS.mem) (d:dll 'a) : + Lemma + (requires (dll_valid h0 d /\ HS.fresh_frame h0 h1)) + (ensures (_pred_nl_disjoint h1 (as_list h1 d))) + [SMTPat (dll_valid h0 d); + SMTPat (HS.fresh_frame h0 h1)] +let _auto_pred_nl_disjoint_push h0 h1 d = + let loc = B.loc_region_only false (HS.get_tip h1) in + let rec aux (ns:list (node 'a)) : + Lemma + (requires (DLL.nodelist_contained h0 ns /\ HS.fresh_frame h0 h1)) + (ensures (_pred_nl_disjoint h1 ns)) = + match ns with + | [] -> () + | n :: ns' -> aux ns' + in + aux (as_list h0 d) + +(** The impl version of [unchanged_node_vals] is same as iface one *) +let rec _auto_unchanged_node_vals_DLL (h0 h1:HS.mem) (ns:list (node 'a)) : + Lemma + (requires (DLL.unchanged_node_vals h0 h1 ns)) + (ensures (unchanged_node_vals h0 h1 ns)) + [SMTPat (unchanged_node_vals h0 h1 ns)] = + match ns with + | [] -> () + | _ :: ns' -> _auto_unchanged_node_vals_DLL h0 h1 ns' + +(** If a valid dll is placed into a pointer, its nodes stay unchanged *) +val _auto_unchanged_node_vals_stays_valid (h0 h1:HS.mem) (d:dll 'a) (d2:DLL.dll 'a) : + Lemma + (requires (DLL.dll_valid h0 d2 /\ + B.modifies (B.loc_buffer d) h0 h1 /\ + B.loc_buffer d `B.loc_disjoint` DLL.dll_fp0 d2 /\ + B.live h0 d /\ + d@h1 == d2)) + (ensures (unchanged_node_vals h0 h1 (as_list h1 d))) + [SMTPat (DLL.dll_valid h0 d2); + SMTPat (B.modifies (B.loc_buffer d) h0 h1); + SMTPat (unchanged_node_vals h0 h1 (as_list h1 d))] +let _auto_unchanged_node_vals_stays_valid h0 h1 d d2 = + let rec aux nl : Lemma + (requires ( + B.modifies (B.loc_buffer d) h0 h1 /\ + DLL.nodelist_fp0 nl `B.loc_disjoint` B.loc_buffer d)) + (ensures (unchanged_node_vals h0 h1 nl)) = + match nl with + | [] -> () + | n :: ns -> aux ns in + aux (as_list h1 d) + +(** If a nodelist is disjoint from a modification, it stays unchanged *) +let rec _lemma_unchanged_node_vals_when_disjoint (h0 h1:HS.mem) loc nl : Lemma + (requires ( + B.modifies loc h0 h1 /\ + DLL.nodelist_fp0 nl `B.loc_disjoint` loc)) + (ensures (unchanged_node_vals h0 h1 nl)) = + match nl with + | [] -> () + | n :: ns -> _lemma_unchanged_node_vals_when_disjoint h0 h1 loc ns + +(** If a dll is assigned to, its original nodes stay unchanged *) +val _lemma_unchanged_node_vals_stays_valid0 (h0 h1:HS.mem) (d:dll 'a) : + Lemma + (requires (B.modifies (B.loc_buffer d) h0 h1 /\ + B.loc_buffer d `B.loc_disjoint` DLL.dll_fp0 (d@h0) /\ + B.live h0 d)) + (ensures (unchanged_node_vals h0 h1 (as_list h0 d))) +let _lemma_unchanged_node_vals_stays_valid0 h0 h1 d = + _lemma_unchanged_node_vals_when_disjoint h0 h1 (B.loc_buffer d) (as_list h0 d) + +(** If a node belongs to a dll, then its fp is included *) +let rec _lemma_node_in_list_is_included (n:node 'a) (nl:list (node 'a)) : + Lemma + (requires (n `L.memP` nl)) + (ensures (DLL.nodelist_fp0 nl `B.loc_includes` fp_node n)) = + match nl with + | [_] -> () + | n' :: ns -> + FStar.Classical.or_elim #_ #_ #(fun () -> DLL.nodelist_fp0 nl `B.loc_includes` fp_node n) + (fun (_:unit{n == n'}) -> ()) + (fun (_:unit{n =!= n'}) -> _lemma_node_in_list_is_included n ns) + +(** If a node_or_null is null or belongs to a dll, then its fp is included *) +let _lemma_node_in_list_or_null_is_included (n:B.pointer_or_null (DLL.node 'a)) (nl:list (node 'a)) : + Lemma + (requires (n =!= B.null ==> n `L.memP` nl)) + (ensures (DLL.nodelist_fp0 nl `B.loc_includes` B.loc_buffer n)) = + FStar.Classical.arrow_to_impl + #(n =!= B.null) #(DLL.nodelist_fp0 nl `B.loc_includes` B.loc_buffer n) + (fun _ -> _lemma_node_in_list_is_included n nl) + +(** If a node is in the list, then the node before it is also in the list if it is not null *) +let _lemma_prev_node_in_list (h:HS.mem) (n:node 'a) (d:dll 'a) : + Lemma + (requires (dll_valid h d /\ n `L.memP` as_list h d)) + (ensures (let n' = (n@h).DLL.blink in + n' =!= B.null ==> n' `L.memP` as_list h d)) = + let n' = (n@h).DLL.blink in + let l = as_list h d in + FStar.Classical.arrow_to_impl + #(n' =!= B.null) #(n' =!= B.null /\ n' `L.memP` l) + (fun _ -> + lemma_node_in_valid_dll_is_valid h d n; + DLL.extract_nodelist_conn h l (L.index_of l n - 1)) + +(** If a node is in the list, then the node after it is also in the list if it is not null *) +let _lemma_next_node_in_list (h:HS.mem) (n:node 'a) (d:dll 'a) : + Lemma + (requires (dll_valid h d /\ n `L.memP` as_list h d)) + (ensures (let n' = (n@h).DLL.flink in + n' =!= B.null ==> n' `L.memP` as_list h d)) = + let n' = (n@h).DLL.flink in + let l = as_list h d in + FStar.Classical.arrow_to_impl + #(n' =!= B.null) #(n' =!= B.null /\ n' `L.memP` l) + (fun _ -> + lemma_node_in_valid_dll_is_valid h d n; + L.lemma_unsnoc_is_last l; + DLL.extract_nodelist_conn h l (L.index_of l n)) + +// (** Insertion operations maintain membership *) +// let rec _lemma_insertion_maintains_memP (l1 l2:list 'a) (x0 x1 x:'a) : +// Lemma +// (requires ((x0 `L.memP` l1) /\ +// ((l2 == DLL._l_insert_before x0 l1 x1) \/ +// (l2 == DLL._l_insert_after x0 l1 x1)) /\ +// (x `L.memP` l1 \/ x == x1))) +// (ensures (x `L.memP` l2)) = +// match l1 with +// | [_] -> () +// | x0' :: l1' -> +// FStar.Classical.or_elim #_ #_ #(fun () -> x `L.memP` l2) +// (fun (_:unit{x0' == x0 \/ x0' == x}) -> ()) +// (fun (_:unit{x0' =!= x0 /\ x0' =!= x}) -> +// _lemma_insertion_maintains_memP l1' (L.tl l2) x0 x1 x) +// +// (** Insertion operations maintain [unchanged_node_vals] *) +// let rec _lemma_insertion_maintains_unchanged_node_vals (h0 h1:HS.mem) (l1 l2:list (node 'a)) (x0 x1:node 'a) : +// Lemma +// (requires ((x0 `L.memP` l1) /\ +// ((l2 == DLL._l_insert_before x0 l1 x1) \/ +// (l2 == DLL._l_insert_after x0 l1 x1)) /\ +// (unchanged_node_vals h0 h1 l2))) +// (ensures (unchanged_node_vals h0 h1 l1)) = +// match l1 with +// | [_] -> () +// | x0' :: l1' -> +// FStar.Classical.arrow_to_impl #(x0 =!= x0') #(unchanged_node_vals h0 h1 l1) +// (fun _ -> +// _lemma_insertion_maintains_unchanged_node_vals h0 h1 l1' (L.tl l2) x0 x1) + +(** Unchanged node vals means that the payloads maintain the changes + that happened *) +let rec _lemma_unchanged_node_vals_maintains_changes (h0 h1:HS.mem) (l:list (node 'a)) : + Lemma + (requires (DLL.nodelist_contained h0 l /\ unchanged_node_vals h0 h1 l)) + (ensures (g_node_vals h1 l == g_node_vals h0 l)) = + match l with + | [] -> () + | h :: t -> + _lemma_unchanged_node_vals_maintains_changes h0 h1 t + +(** Containment holds before/after [append]ing *) +let rec _lemma_append_contains (h0:HS.mem) (l1 l2:list (node 'a)) : + Lemma + (ensures ( + (DLL.nodelist_contained h0 (l1 `L.append` l2)) <==> + (DLL.nodelist_contained h0 l1 /\ DLL.nodelist_contained h0 l2))) = + match l1 with + | [] -> () + | h :: t -> _lemma_append_contains h0 t l2 + +(** [g_node_vals] before/after [append]ing *) +let rec _lemma_append_g_node_vals (h0:HS.mem) (l1 l2:list (node 'a)) : + Lemma + (ensures ( + (g_node_vals h0 (l1 `L.append` l2) == g_node_vals h0 l1 `L.append` g_node_vals h0 l2))) = + match l1 with + | [] -> () + | h :: t -> _lemma_append_g_node_vals h0 t l2 + +(** [unchanged_node_val] before/after [append]ing *) +let rec _lemma_unchanged_node_vals_append (h0 h1:HS.mem) (l1 l2:list (node 'a)) : + Lemma + (ensures ( + (unchanged_node_vals h0 h1 (l1 `L.append` l2) <==> + (unchanged_node_vals h0 h1 l1 /\ unchanged_node_vals h0 h1 l2)))) = + match l1 with + | [] -> () + | h :: t -> _lemma_unchanged_node_vals_append h0 h1 t l2 + +(** Getting a specific node from an [unchanged_node_val] *) +let rec _lemma_extract_unchanged_node_val (h0 h1:HS.mem) (n:node 'a) (l:list (node 'a)) : + Lemma + (requires (unchanged_node_vals h0 h1 l /\ n `L.memP` l)) + (ensures (unchanged_node_val h0 h1 n)) = + let h :: t = l in + FStar.Classical.or_elim #_ #_ #(fun () -> unchanged_node_val h0 h1 n) + (fun (_:unit{n == h}) -> ()) + (fun (_:unit{n =!= h}) -> _lemma_extract_unchanged_node_val h0 h1 n t) + +(** Connect [split_using] and [splitAt] *) +let rec _lemma_split_using_splitAt (l:list 'a) (x:'a) : + Lemma + (requires (x `L.memP` l)) + (ensures + (l `L.split_using` x == L.splitAt (l `L.index_of` x) l)) = + match l with + | [_] -> () + | h :: t -> + FStar.Classical.arrow_to_impl + #(x `L.memP` t) + #(l `L.split_using` x == L.splitAt (l `L.index_of` x) l) + (fun _ -> _lemma_split_using_splitAt t x) + +(** Length of a [g_node_vals] is same as orig list *) +let rec _lemma_length_g_node_vals (h0:HS.mem) (l:list (node 'a)) : + Lemma + (L.length (g_node_vals h0 l) = L.length l) = + match l with + | [] -> () + | h :: t -> + _lemma_length_g_node_vals h0 t + +/// Moving forwards or backwards in a list + +let has_next d n = + let h0 = HST.get () in + DLL.lemma_dll_links_contained h0 (d@h0) (as_list h0 d `L.index_of` n); + L.lemma_unsnoc_is_last (as_list h0 d); + let y = not (B.is_null (!*n).DLL.flink) in + FStar.Classical.or_elim #_ #_ #(fun () -> + y <==> as_list h0 d `L.index_of` n < L.length (as_list h0 d) - 1) + (fun (_:unit{y}) -> ()) + (fun (_:unit{not y}) -> + DLL._lemma_only_tail_can_point_right_to_null h0 n (as_list h0 d); + DLL._lemma_all_nodes_are_unique h0 (as_list h0 d) + (as_list h0 d `L.index_of` n) + (L.length (as_list h0 d) - 1)); + y + +let has_prev d n = + let h0 = HST.get () in + DLL.lemma_dll_links_contained h0 (d@h0) (as_list h0 d `L.index_of` n); + L.lemma_unsnoc_is_last (as_list h0 d); + let y = not (B.is_null (!*n).DLL.blink) in + FStar.Classical.or_elim #_ #_ #(fun () -> + y <==> as_list h0 d `L.index_of` n > 0) + (fun (_:unit{y}) -> ()) + (fun (_:unit{not y}) -> + DLL._lemma_only_head_can_point_left_to_null h0 n (as_list h0 d); + DLL._lemma_all_nodes_are_unique h0 (as_list h0 d) + (as_list h0 d `L.index_of` n) + 0); + y + +let next_node d n = + let h0 = HST.get () in + lemma_node_in_valid_dll_is_valid h0 d n; + DLL.extract_nodelist_conn h0 (as_list h0 d) (L.index_of (as_list h0 d) n); + (!*n).DLL.flink + +let prev_node d n = + let h0 = HST.get () in + lemma_node_in_valid_dll_is_valid h0 d n; + DLL.extract_nodelist_conn h0 (as_list h0 d) (L.index_of (as_list h0 d) n - 1); + (!*n).DLL.blink + +/// Stateful DoublyLinkedList operations +/// +/// These are most likely what you want to be using when writing +/// code. The rest of this interface lets you talk about these +/// operations easily. + +#set-options "--z3rlimit 20 --max_fuel 2 --max_ifuel 1" + +let dll_insert_at_head #t d n = + let h00 = HST.get () in + HST.push_frame (); + let h0 = HST.get () in + let y = DLL.dll_insert_at_head (!*d) n in + let h' = HST.get () in + d *= y; + let h1 = HST.get () in + _lemma_unchanged_node_vals_transitive h0 h' h1 (as_list h1 d); + HST.pop_frame (); + let h11 = HST.get () in + _lemma_unchanged_node_vals_maintains_changes h00 h11 (as_list h1 d) + +#reset-options + +#set-options "--z3rlimit 40 --max_fuel 2 --max_ifuel 1" + +let dll_insert_at_tail #t d n = + let h00 = HST.get () in + HST.push_frame (); + let h0 = HST.get () in + let y = DLL.dll_insert_at_tail (!*d) n in + let h' = HST.get () in + d *= y; + let h1 = HST.get () in + assert (_pred_nl_disjoint h0 (as_list h1 d)); // OBSERVE + _lemma_unchanged_node_vals_transitive h0 h' h1 (as_list h1 d); + HST.pop_frame (); + let h11 = HST.get () in + _lemma_append_contains h00 (as_list h0 d) [n]; + _lemma_unchanged_node_vals_maintains_changes h00 h11 (as_list h1 d); + _lemma_append_g_node_vals h11 (as_list h0 d) [n]; + L.lemma_unsnoc_is_last (as_list h1 d); + _lemma_extract_unchanged_node_val h0 h1 n (as_list h1 d); + _lemma_append_g_node_vals h00 (as_list h0 d) [n]; + _lemma_unchanged_node_vals_append h00 h11 (as_list h0 d) [n] + +#reset-options + +// #set-options "--z3rlimit 80 --max_fuel 2 --max_ifuel 1" +// +// let dll_insert_before #t n' d n = +// let h00 = HST.get () in +// HST.push_frame (); +// let h0 = HST.get () in +// let y = DLL.dll_insert_before (!*d) n' n in +// let h' = HST.get () in +// d *= y; +// let h1 = HST.get () in +// assert (_pred_nl_disjoint h0 (as_list h1 d)); // OBSERVE +// _lemma_unchanged_node_vals_transitive h0 h' h1 (as_list h1 d); +// // assert (fp_dll h1 d `B.loc_includes` (B.loc_buffer (d@h0).DLL.lhead)); +// // assert (fp_dll h1 d `B.loc_includes` (B.loc_buffer (d@h0).DLL.ltail)); +// // assert (fp_dll h1 d `B.loc_includes` (B.loc_buffer n)); +// _lemma_insertion_maintains_memP (as_list h0 d) (as_list h1 d) n' n n'; +// // assert (n' `L.memP` as_list h1 d); +// _lemma_prev_node_in_list h0 n' d; +// FStar.Classical.arrow_to_impl #((n'@h0).DLL.blink =!= B.null) +// #((n'@h0).DLL.blink =!= B.null /\ (n'@h0).DLL.blink `L.memP` as_list h1 d) +// (fun _ -> +// _lemma_insertion_maintains_memP (as_list h0 d) (as_list h1 d) n' n (n'@h0).DLL.blink); +// // assert ((n'@h0).DLL.blink =!= B.null ==> (n'@h0).DLL.blink `L.memP` as_list h1 d); +// _lemma_node_in_list_is_included n' (as_list h1 d); +// _lemma_node_in_list_or_null_is_included (n'@h0).DLL.blink (as_list h1 d); +// // assert (fp_dll h1 d `B.loc_includes` (B.loc_buffer n')); +// // assert (fp_dll h1 d `B.loc_includes` (B.loc_buffer (n'@h0).DLL.blink)); +// // assert (B.modifies (fp_dll h1 d) h0 h1); +// HST.pop_frame (); +// let h11 = HST.get () in +// _lemma_split_using_splitAt (as_list h00 d) n'; +// _lemma_append_g_node_vals h11 +// (fst (L.splitAt (as_list h00 d `L.index_of` n') (as_list h00 d))) +// (snd (L.splitAt (as_list h00 d `L.index_of` n') (as_list h00 d))); +// L.lemma_splitAt_append (as_list h00 d `L.index_of` n') (as_list h00 d); +// _lemma_length_g_node_vals h00 (as_list h00 d); +// L.lemma_splitAt_append (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)); +// // assert ((as_list h00 d `L.index_of` n') < L.length (g_node_vals h00 (as_list h00 d))); +// _lemma_insertion_maintains_unchanged_node_vals h0 h1 (as_list h0 d) (as_list h1 d) n' n; +// // assert (unchanged_node_vals h0 h1 (as_list h0 d)); +// _lemma_unchanged_node_vals_maintains_changes h00 h11 (as_list h00 d); +// // assert (g_node_vals h11 (as_list h00 d) == g_node_vals h00 (as_list h00 d)); +// // assert ( +// // let l1, l2 = L.splitAt (as_list h00 d `L.index_of` n') (as_list h00 d) in +// // let m1, m2 = L.splitAt (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)) in +// // g_node_vals h11 +// // (l1 `L.append` l2) == (m1 `L.append` m2) /\ L.length l1 = L.length m1); +// L.lemma_splitAt_append (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)); +// _lemma_length_g_node_vals h11 (fst (L.splitAt (as_list h00 d `L.index_of` n') (as_list h00 d))); +// L.append_length_inv_head +// (g_node_vals h11 (fst (L.splitAt (as_list h00 d `L.index_of` n') (as_list h00 d)))) +// (g_node_vals h11 (snd (L.splitAt (as_list h00 d `L.index_of` n') (as_list h00 d)))) +// (fst (L.splitAt (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)))) +// (snd (L.splitAt (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)))); +// // assert (g_node_vals h11 (let l1, l2 = L.splitAt (as_list h00 d `L.index_of` n') (as_list h00 d) in l1) == ( +// // let l1, l2 = L.splitAt (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)) in +// // l1)); +// // assert (g_node_vals h11 (let l1, l2 = L.splitAt (as_list h00 d `L.index_of` n') (as_list h00 d) in l2) == ( +// // let l1, l2 = L.splitAt (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)) in +// // l2)); +// // assert (g_node_vals h11 (let l1, l2 = L.split_using (as_list h00 d) n' in l1) == ( +// // let l1, l2 = L.splitAt (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)) in +// // l1)); +// // assert (g_node_vals h11 (let l1, l2 = L.split_using (as_list h00 d) n' in l2) == ( +// // let l1, l2 = L.splitAt (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)) in +// // l2)); +// _lemma_insertion_maintains_memP (as_list h0 d) (as_list h1 d) n' n n; +// // assert (n `L.memP` as_list h1 d); +// _lemma_extract_unchanged_node_val h0 h1 n (as_list h1 d); +// // assert (g_node_val h1 n == g_node_val h0 n); +// _lemma_append_g_node_vals h11 +// (let l1, l2 = L.split_using (as_list h00 d) n' in l1) +// (let l1, l2 = L.split_using (as_list h00 d) n' in (n :: l2)); +// // assert (g_node_vals h11 ( +// // let l1, l2 = L.split_using (as_list h00 d) n' in +// // l1 `L.append` (n :: l2)) == ( +// // let l1, l2 = L.splitAt (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)) in +// // l1 `L.append` ((g_node_val h00 n) :: l2))); +// // assert (g_node_vals h11 (l_insert_before n' (as_list h00 d) n) == ( +// // let l1, l2 = L.splitAt (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)) in +// // l1 `L.append` ((g_node_val h00 n) :: l2))); +// // assert (g_node_vals h11 (as_list h11 d) == ( +// // let l1, l2 = L.splitAt (as_list h00 d `L.index_of` n') (g_node_vals h00 (as_list h00 d)) in +// // l1 `L.append` ((g_node_val h00 n) :: l2))); +// // assert (as_payload_list h11 d == ( +// // let l1, l2 = L.splitAt (as_list h00 d `L.index_of` n') (as_payload_list h00 d) in +// // l1 `L.append` ((g_node_val h00 n) :: l2))); +// // assert (as_payload_list h11 d == l_insert_before' +// // (as_list h00 d `L.index_of` n') (as_payload_list h00 d) (g_node_val h00 n)); +// () +// +// #reset-options +// +// // #set-options "--z3rlimit 80 --max_fuel 2 --max_ifuel 1" +// // +// // let dll_insert_after #t n' d n = +// // let h00 = HST.get () in +// // HST.push_frame (); +// // let h0 = HST.get () in +// // let y = DLL.dll_insert_after (!*d) n' n in +// // let h' = HST.get () in +// // d *= y; +// // let h1 = HST.get () in +// // assert (_pred_nl_disjoint h0 (as_list h1 d)); // OBSERVE +// // _lemma_unchanged_node_vals_transitive h0 h' h1 (as_list h1 d); +// // _lemma_insertion_maintains_memP (as_list h0 d) (as_list h1 d) n' n n'; +// // _lemma_next_node_in_list h0 n' d; +// // FStar.Classical.arrow_to_impl #((n'@h0).DLL.flink =!= B.null) +// // #((n'@h0).DLL.flink =!= B.null /\ (n'@h0).DLL.flink `L.memP` as_list h1 d) +// // (fun _ -> +// // _lemma_insertion_maintains_memP (as_list h0 d) (as_list h1 d) n' n (n'@h0).DLL.flink); +// // _lemma_node_in_list_is_included n' (as_list h1 d); +// // _lemma_node_in_list_or_null_is_included (n'@h0).DLL.flink (as_list h1 d); +// // // assert (B.modifies (fp_dll h1 d) h0 h1); +// // HST.pop_frame (); +// // let h11 = HST.get () in +// // admit () (* Due to recent "double ghost" change *) +// // +// // #reset-options + +#set-options "--z3rlimit 40 --max_fuel 2 --max_ifuel 1" + +let dll_remove_head #t d = + let h00 = HST.get () in + HST.push_frame (); + let h0 = HST.get () in + let y = DLL.dll_remove_head (!*d) in + let h' = HST.get () in + d *= y; + let h1 = HST.get () in + _lemma_unchanged_node_vals_stays_valid0 h' h1 d; + _lemma_unchanged_node_vals_transitive h0 h' h1 (as_list h0 d); + HST.pop_frame (); + let h11 = HST.get () in + admit () (* Due to recent "double ghost" change *) + +#reset-options + +#set-options "--z3rlimit 40 --max_fuel 2 --max_ifuel 1" + +let dll_remove_tail #t d = + let h00 = HST.get () in + HST.push_frame (); + let h0 = HST.get () in + let y = DLL.dll_remove_tail (!*d) in + let h' = HST.get () in + d *= y; + let h1 = HST.get () in + + FStar.Classical.arrow_to_impl + #(L.length (d@h0).DLL.nodes >= 2) + #(DLL.dll_fp0 (d@h0) `B.loc_includes` B.loc_buffer ((d@h0).DLL.ltail@h0).DLL.blink) + (fun _ -> + DLL.extract_nodelist_conn h0 (d@h0).DLL.nodes (L.length (d@h0).DLL.nodes - 2); + DLL.extract_nodelist_fp0 (d@h0).DLL.nodes (L.length (d@h0).DLL.nodes - 2); + L.lemma_unsnoc_is_last (d@h0).DLL.nodes); + + _lemma_unchanged_node_vals_stays_valid0 h' h1 d; + _lemma_unchanged_node_vals_transitive h0 h' h1 (as_list h0 d); + HST.pop_frame (); + let h11 = HST.get () in + admit () (* Due to recent "double ghost" change *) + +#reset-options + +// #set-options "--z3rlimit 40 --max_fuel 2 --max_ifuel 1" +// +// let dll_remove_mid #t d n = +// let h00 = HST.get () in +// HST.push_frame (); +// let h0 = HST.get () in +// let y = DLL.dll_remove_node (!*d) n in +// let h' = HST.get () in +// d *= y; +// let h1 = HST.get () in +// +// FStar.Classical.arrow_to_impl +// #(L.length (d@h0).DLL.nodes >= 2) +// #(DLL.dll_fp0 (d@h0) `B.loc_includes` B.loc_buffer ((d@h0).DLL.ltail@h0).DLL.blink) +// (fun _ -> +// DLL.extract_nodelist_conn h0 (d@h0).DLL.nodes (L.length (d@h0).DLL.nodes - 2); +// DLL.extract_nodelist_fp0 (d@h0).DLL.nodes (L.length (d@h0).DLL.nodes - 2); +// L.lemma_unsnoc_is_last (d@h0).DLL.nodes); +// // assert (DLL.dll_fp0 (d@h0) `B.loc_includes` B.loc_buffer ((d@h0).DLL.lhead@h0).DLL.flink); +// // assert (DLL.dll_fp0 (d@h0) `B.loc_includes` B.loc_buffer ((d@h0).DLL.ltail@h0).DLL.blink); +// +// _lemma_next_node_in_list h0 n d; +// _lemma_node_in_list_or_null_is_included ((n@h0).DLL.flink) (d@h0).DLL.nodes; +// _lemma_prev_node_in_list h0 n d; +// _lemma_node_in_list_or_null_is_included ((n@h0).DLL.blink) (d@h0).DLL.nodes; +// // assert (DLL.dll_fp0 (d@h0) `B.loc_includes` B.loc_buffer (n@h0).DLL.flink); +// // assert (DLL.dll_fp0 (d@h0) `B.loc_includes` B.loc_buffer (n@h0).DLL.blink); +// +// _lemma_unchanged_node_vals_stays_valid0 h' h1 d; +// _lemma_unchanged_node_vals_transitive h0 h' h1 (as_list h0 d); +// HST.pop_frame (); +// let h11 = HST.get () in +// admit () (* Due to recent "double ghost" change *) +// +// #reset-options + +#set-options "--z3rlimit 20 --max_fuel 2 --max_ifuel 1" + +let dll_append #t d1 d2 = + let h00 = HST.get () in + HST.push_frame (); + let h0 = HST.get () in + let y = DLL.dll_append (!*d1) (!*d2) in + let h' = HST.get () in + d1 *= y; + let h1 = HST.get () in + DLL.nodelist_append_fp0 (as_list h0 d1) (as_list h0 d2); + assert (_pred_nl_disjoint h0 (as_list h1 d1)); // OBSERVE + _lemma_unchanged_node_vals_transitive h0 h' h1 (as_list h1 d1); + HST.pop_frame (); + let h11 = HST.get () in + admit () (* Due to recent "double ghost" change *) + +#reset-options + +// #set-options "--z3rlimit 100 --max_fuel 2 --max_ifuel 1" +// +// let dll_split_using #t d1 d2 n = +// let h00 = HST.get () in +// HST.push_frame (); +// let h0 = HST.get () in +// let y1, y2 = DLL.dll_split_using (!*d1) n in +// let h0' = HST.get () in +// d1 *= y1; +// let h0'' = HST.get () in +// d2 *= y2; +// let h1 = HST.get () in +// assert (B.loc_buffer d1 `B.loc_disjoint` DLL.dll_fp0 (d1@h0)); +// assert (DLL.dll_fp0 (d1@h0) `B.loc_includes` DLL.dll_fp0 y1); +// FStar.Classical.arrow_to_impl +// #(L.length (d1@h0).DLL.nodes >= 2) +// #(DLL.dll_fp0 (d1@h0) `B.loc_includes` B.loc_buffer ((d1@h0).DLL.ltail@h0).DLL.blink) +// (fun _ -> +// DLL.extract_nodelist_conn h0 (d1@h0).DLL.nodes (L.length (d1@h0).DLL.nodes - 2); +// DLL.extract_nodelist_fp0 (d1@h0).DLL.nodes (L.length (d1@h0).DLL.nodes - 2); +// L.lemma_unsnoc_is_last (d1@h0).DLL.nodes); +// _lemma_prev_node_in_list h0 n d1; +// _lemma_node_in_list_or_null_is_included ((n@h0).DLL.blink) (d1@h0).DLL.nodes; +// _lemma_node_in_list_is_included n (d1@h0).DLL.nodes; +// assert (B.loc_buffer d1 `B.loc_disjoint` DLL.dll_fp0 (d1@h0')); +// _lemma_unchanged_node_vals_stays_valid0 h0' h0'' d1; +// _lemma_unchanged_node_vals_transitive h0 h0' h0'' (as_list h0 d1); +// // +// _lemma_unchanged_node_vals_when_disjoint h0'' h1 (B.loc_buffer d2) (as_list h0 d1); +// assert (unchanged_node_vals h0'' h1 (as_list h0 d1)); +// assert (_pred_nl_disjoint h0 (as_list h0 d1)); +// assert (_pred_nl_disjoint h0 (as_list h1 d1)); +// assert (_pred_nl_disjoint h0 (as_list h1 d2)); +// _lemma_unchanged_node_vals_transitive h0 h0'' h1 (as_list h0 d1); +// assert (dll_valid h0'' d1); +// _lemma_nodelist_conn_in_unmodified_mem h0'' h1 (B.loc_buffer d2) (as_list h0'' d1); +// _lemma_nodelist_contained_in_unmodified_mem h0'' h1 (B.loc_buffer d2) (as_list h0'' d1); +// assert (dll_valid h1 d1); +// _lemma_nodelist_conn_in_unmodified_mem h0' h0'' (B.loc_buffer d1) y2.DLL.nodes; +// _lemma_nodelist_contained_in_unmodified_mem h0' h0'' (B.loc_buffer d1) y2.DLL.nodes; +// assert (DLL.dll_valid h0'' y2); +// assert (dll_valid h1 d2); +// HST.pop_frame (); +// let h11 = HST.get () in +// B.popped_modifies h1 h11; +// let loc = B.loc_region_only false (HS.get_tip h1) in +// _lemma_nodelist_contained_in_unmodified_mem h1 h11 loc (as_list h11 d1); +// _lemma_nodelist_contained_in_unmodified_mem h1 h11 loc (as_list h11 d2); +// _lemma_nodelist_conn_in_unmodified_mem h1 h11 loc (as_list h11 d1); +// _lemma_nodelist_conn_in_unmodified_mem h1 h11 loc (as_list h11 d2); +// admit () (* Due to recent "double ghost" change *) +// +// #reset-options + +/// Automatic validity maintenance +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +let auto_dll_remains_valid_upon_staying_unchanged h0 h1 l d = + _lemma_nodelist_contained_in_unmodified_mem h0 h1 l (as_list h1 d); + _lemma_nodelist_conn_in_unmodified_mem h0 h1 l (as_list h1 d) + +let auto_node_remains_valid_upon_staying_unchanged h0 h1 l n = () + +let auto_node_remains_unchanged_upon_staying_unchanged_val h0 h1 n = () + +/// Automatic footprint maintenance +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +let auto_dll_fp_upon_staying_unchanged h0 h1 l d = () + +/// Automatic value maintenance +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +let auto_dll_as_list_staying_unchanged h0 h1 l d =() + +let auto_dll_as_payload_list_staying_unchanged h0 h1 loc d = + let rec aux loc nl : Lemma + (requires ( + B.modifies loc h0 h1 /\ + DLL.nodelist_contained h0 nl /\ + B.loc_disjoint (DLL.nodelist_fp0 nl) loc)) + (ensures (g_node_vals h0 nl == g_node_vals h1 nl)) = + match nl with + | [] -> () + | hd :: tl -> aux loc tl in + aux loc (as_list h1 d) + +let auto_node_val_staying_unchanged h0 h1 l n = () + +/// Properties of nodes inside and outside lists +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +let auto_node_in_list_is_included h0 n d = + _lemma_node_in_list_is_included n (as_list h0 d) + +let auto_node_in_list_is_valid h0 n d = + DLL.extract_nodelist_contained h0 (as_list h0 d) (as_list h0 d `L.index_of` n) + +/// Properties related to unchanged connections +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +let auto_unchanged_node_connections_list_unchanged h0 h1 d n = + assert (B.loc_disjoint (B.loc_buffer d) (DLL.dll_fp0 (d@h0))); + DLL.extract_nodelist_fp0 (as_list h0 d) (as_list h0 d `L.index_of` n); + assert (B.loc_disjoint (B.loc_buffer d) (B.loc_buffer n)) + +#set-options "--z3rlimit 10" + +let auto_unchanged_node_connections_dll_valid h0 h1 d (n:node 'a) = + DLL.extract_nodelist_fp0 (as_list h0 d) (as_list h0 d `L.index_of` n); + assert (d@h0 == d@h1); + assert (as_list h0 d == as_list h1 d); + let rec aux1 #nl' (nl:list (node 'a)) : + Lemma + (requires ( + (B.modifies (B.loc_buffer n) h0 h1) /\ + (DLL.nodelist_contained h0 nl) /\ + (DLL.nodelist_aa_r nl) /\ + (nl' `L.append` nl == as_list h1 d) /\ + (n `L.memP` nl \/ B.loc_buffer n `B.loc_disjoint` DLL.nodelist_fp0 nl))) + (ensures (DLL.nodelist_contained h1 nl)) + (decreases (L.length nl)) = + match nl with + | [] -> () + | x :: xs -> + let nl1', nl1 = L.snoc (nl', x), xs in + L.append_l_cons x xs nl'; + aux1 #nl1' nl1 in + aux1 #[] (as_list h1 d); + assert (DLL.nodelist_contained h1 (as_list h1 d)); + assert ((d@h1).DLL.lhead =!= B.null); + assert ((d@h1).DLL.ltail =!= B.null); + let rec aux2 #nl' (nl:list (node 'a)) : + Lemma + (requires ( + (B.modifies (B.loc_buffer n) h0 h1) /\ + unchanged_node_connections h0 h1 n /\ + (DLL.nodelist_contained h0 nl) /\ + (DLL.nodelist_contained h1 nl) /\ + (DLL.nodelist_conn h0 nl) /\ + (DLL.nodelist_aa_r nl) /\ + (nl' `L.append` nl == as_list h1 d) /\ + (n `L.memP` nl \/ B.loc_buffer n `B.loc_disjoint` DLL.nodelist_fp0 nl))) + (ensures (DLL.nodelist_conn h1 nl)) + (decreases (L.length nl)) = + match nl with + | [] -> () + | n1 :: rest -> + match rest with + | [] -> () + | n2 :: ns -> + let nl1', nl1 = L.snoc (nl', n1), rest in + L.append_l_cons n1 rest nl'; + aux2 #nl1' nl1; + assert (DLL.nodelist_conn h1 rest); + FStar.Classical.arrow_to_impl #(n `L.memP` rest) #((n1@h1).DLL.flink == (n1@h0).DLL.flink) + (fun _ -> DLL.extract_nodelist_fp0 rest (rest `L.index_of` n)); + FStar.Classical.arrow_to_impl #(n `L.memP` ns) #((n2@h1).DLL.blink == (n2@h0).DLL.blink) + (fun _ -> DLL.extract_nodelist_fp0 ns (ns `L.index_of` n)) in + aux2 #[] (as_list h1 d); + assert (DLL.nodelist_conn h1 (as_list h1 d)); + FStar.Classical.arrow_to_impl + #((d@h1).DLL.lhead =!= n) #(((d@h1).DLL.lhead@h1).DLL.blink == B.null) + (fun _ -> + let l = L.tl (as_list h1 d) in + DLL.extract_nodelist_fp0 l (l `L.index_of` n)); + L.lemma_unsnoc_is_last (as_list h1 d); + FStar.Classical.arrow_to_impl + #((d@h1).DLL.ltail =!= n) #(((d@h1).DLL.ltail@h1).DLL.flink == B.null) + (fun _ -> + let l, _ = L.unsnoc (as_list h1 d) in + let i = as_list h1 d `L.index_of` n in + assert (i < L.length (as_list h1 d)); + assert (i = L.length (as_list h1 d) ==> (d@h1).DLL.ltail == n); + assert ((d@h1).DLL.ltail =!= n); + assert (i < L.length (as_list h1 d) - 1); + L.lemma_unsnoc_length (as_list h1 d); + L.lemma_unsnoc_index (as_list h1 d) i; + DLL.extract_nodelist_fp0 l (l `L.index_of` n)) + +#reset-options + +/// Properties related to pushes and pops +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +let auto_dll_push_pop h0 h1 h2 h3 d = () + +let auto_dll_fp_push_pop h0 h1 h2 h3 d = () + +let auto_dll_fp_disjoint_push h0 h1 d = () \ No newline at end of file diff --git a/milli/doubly-linked-list/FstarlowstarIface.fsti b/milli/doubly-linked-list/FstarlowstarIface.fsti new file mode 100644 index 0000000..883d2d7 --- /dev/null +++ b/milli/doubly-linked-list/FstarlowstarIface.fsti @@ -0,0 +1,521 @@ +(* + Copyright 2008-2019 Microsoft Research + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*) + +module FstarlowstarIface + +module HS = FStar.HyperStack +module HST = FStar.HyperStack.ST +module L = FStar.List.Tot +module B = LowStar.Buffer + +/// Abstract types defined by this library + +(** A singular node which stores a value of type [a] *) +val node (a:Type0) : Type0 + +(** A doublylinkedlist of elements of type [a] *) +val dll (a:Type0) : Type0 + +/// Abstract Validity Predicates + +val node_valid (h:HS.mem) (n:node 'a) : prop + +val dll_valid (h:HS.mem) (d:dll 'a) : prop + +/// Abstract node and list footprints + +val fp_node (n:node 'a) : GTot B.loc + +val fp_dll (h:HS.mem) (d:dll 'a) : GTot B.loc + +/// Getters and setters for [node]s + +val g_node_val (h:HS.mem) (n:node 'a) : GTot 'a + +val node_val (n:node 'a) : + HST.StackInline 'a + (requires (fun h0 -> node_valid h0 n)) + (ensures (fun h0 v h1 -> h0 == h1 /\ v == g_node_val h0 n)) + +val node_of (v:'a) : + HST.StackInline (node 'a) + (requires (fun h0 -> True)) + (ensures (fun h0 n h1 -> + B.modifies B.loc_none h0 h1 /\ + B.fresh_loc (fp_node n) h0 h1 /\ + node_valid h1 n /\ + v == g_node_val h1 n)) + +/// Abstract Predicate to help "recall" that updating the payload +/// leaves connections unchanged + +val unchanged_node_connections (h0 h1:HS.mem) (n:node 'a) : GTot prop + +/// Be able to modify the payload of a node easily, without affecting +/// membership + +val node_update (n:node 'a) (v:'a) : + HST.StackInline (unit) + (requires (fun h0 -> node_valid h0 n)) + (ensures (fun h0 () h1 -> + B.modifies (fp_node n) h0 h1 /\ + node_valid h1 n /\ + v == g_node_val h1 n /\ + unchanged_node_connections h0 h1 n)) + +/// Viewing ghostly state of a DoublyLinkedList as a list of nodes, +/// and as list of payloads + +val as_list (h:HS.mem) (d:dll 'a) : GTot (list (node 'a)) + +let rec g_node_vals (h:HS.mem) (l:list (node 'a)) : GTot (list 'a) = + match l with + | [] -> [] + | hd :: tl -> g_node_val h hd :: g_node_vals h tl + +let as_payload_list (h:HS.mem) (d:dll 'a) : GTot (list 'a) = + g_node_vals h (as_list h d) + +/// Creating an empty DoublyLinkedList, and quickly accessing the head +/// and tail of a DoublyLinkedList + +val dll_new (u:unit) : + HST.StackInline (dll 'a) + (requires (fun h0 -> True)) + (ensures (fun h0 d h1 -> + B.modifies B.loc_none h0 h1 /\ + B.fresh_loc (fp_dll h1 d) h0 h1 /\ + dll_valid h1 d /\ + as_list h1 d == [])) + +val is_empty (d:dll 'a) : + HST.StackInline (bool) + (requires (fun h0 -> dll_valid h0 d)) + (ensures (fun h0 y h1 -> + (h0 == h1) /\ + (y <==> as_list h0 d == []))) + +val dll_head (d:dll 'a) : + HST.StackInline (node 'a) + (requires (fun h0 -> dll_valid h0 d /\ L.length (as_list h0 d) > 0)) + (ensures (fun h0 n h1 -> + B.modifies B.loc_none h0 h1 /\ + dll_valid h1 d /\ + node_valid h1 n /\ + as_list h0 d == as_list h1 d /\ + n == L.hd (as_list h0 d))) + +val dll_tail (d:dll 'a) : + HST.StackInline (node 'a) + (requires (fun h0 -> dll_valid h0 d /\ L.length (as_list h0 d) > 0)) + (ensures (fun h0 n h1 -> + h0 == h1 /\ + dll_valid h1 d /\ + node_valid h1 n /\ + as_list h0 d == as_list h1 d /\ + n == snd (L.unsnoc (as_list h0 d)))) + +/// Moving forwards or backwards in a list + +val has_next (d:dll 'a) (n:node 'a) : + HST.StackInline bool + (requires (fun h0 -> + dll_valid h0 d /\ + node_valid h0 n /\ + n `L.memP` as_list h0 d)) + (ensures (fun h0 y h1 -> + (h0 == h1) /\ + (y <==> L.index_of (as_list h0 d) n < L.length (as_list h0 d) - 1))) + +val has_prev (d:dll 'a) (n:node 'a) : + HST.StackInline bool + (requires (fun h0 -> + dll_valid h0 d /\ + node_valid h0 n /\ + n `L.memP` as_list h0 d)) + (ensures (fun h0 y h1 -> + (h0 == h1) /\ + (y <==> L.index_of (as_list h0 d) n > 0))) + +val next_node (d:dll 'a) (n:node 'a) : + HST.StackInline (node 'a) + (requires (fun h0 -> + dll_valid h0 d /\ + n `L.memP` as_list h0 d /\ + L.index_of (as_list h0 d) n < L.length (as_list h0 d) - 1)) + (ensures (fun h0 n' h1 -> + h0 == h1 /\ + dll_valid h1 d /\ + node_valid h1 n /\ + as_list h0 d == as_list h1 d /\ + n' == L.index (as_list h0 d) (L.index_of (as_list h0 d) n + 1))) + +val prev_node (d:dll 'a) (n:node 'a) : + HST.StackInline (node 'a) + (requires (fun h0 -> + dll_valid h0 d /\ + n `L.memP` as_list h0 d /\ + L.index_of (as_list h0 d) n > 0)) + (ensures (fun h0 n' h1 -> + h0 == h1 /\ + dll_valid h1 d /\ + node_valid h1 n /\ + as_list h0 d == as_list h1 d /\ + n' == L.index (as_list h0 d) (L.index_of (as_list h0 d) n - 1))) + +/// DoublyLinkedList operations on standard [list]s instead + +let l_insert_at_head (l:list 'a) (x:'a) : GTot (list 'a) = + x :: l + +let l_insert_at_tail (l:list 'a) (x:'a) : GTot (list 'a) = + L.snoc (l, x) + +let l_insert_before (x0:'a) (l:list 'a{x0 `L.memP` l}) (x:'a) : GTot (list 'a) = + let l1, l2 = L.split_using l x0 in + l1 `L.append` (x :: l2) + +let l_insert_before' (i:nat) (l:list 'a) (x:'a) : GTot (list 'a) = + let l1, l2 = L.splitAt i l in + l1 `L.append` (x :: l2) + +let l_insert_after (x0:'a) (l:list 'a{x0 `L.memP` l}) (x:'a) : GTot (list 'a) = + let l1, x1 :: l2 = L.lemma_split_using l x0; L.split_using l x0 in + assert (x0 == x1); + l1 `L.append` (x0 :: (x :: l2)) + +let l_insert_after' (i:nat) (l:list 'a{i < L.length l}) (x:'a) : GTot (list 'a) = + let l1, x1 :: l2 = L.lemma_splitAt_snd_length i l; L.splitAt i l in + l1 `L.append` ((L.index l i) :: (x :: l2)) + +let l_remove_head (l:list 'a{L.length l > 0}) : GTot (list 'a) = + match l with + | _ :: l' -> l' + +let l_remove_tail (l:list 'a{L.length l > 0}) : GTot (list 'a) = + let l', _ = L.unsnoc l in + l' + +let l_remove_mid (l:list 'a{L.length l > 0}) (x:'a {x `L.memP` l}) : GTot (list 'a) = + let l1, x0 :: l2 = L.lemma_split_using l x; L.split_using l x in + assert (x == x0); + l1 `L.append` l2 + +let l_remove_mid' (l:list 'a{L.length l > 0}) (i:nat{i < L.length l}) : GTot (list 'a) = + let l1, x0 :: l2 = L.lemma_splitAt_snd_length i l; L.splitAt i l in + l1 `L.append` l2 + +let l_append (l1 l2:list 'a) : GTot (list 'a) = + l1 `L.append` l2 + +let l_split_using (l:list 'a) (x:'a{x `L.memP` l}) : GTot (list 'a * list 'a) = + L.split_using l x + +let l_split_using' (l:list 'a) (i:nat) : GTot (list 'a * list 'a) = + L.splitAt i l + +/// Useful "shortform" for equivalence of [loc]s + +let loc_equiv (a b:B.loc) = + B.loc_includes a b /\ B.loc_includes b a + +/// Stateful DoublyLinkedList operations +/// +/// These are most likely what you want to be using when writing +/// code. The rest of this interface lets you talk about these +/// operations easily. + +val dll_insert_at_head (#t:Type0) (d:dll t) (n:node t) : + HST.Stack unit + (requires (fun h0 -> dll_valid h0 d /\ node_valid h0 n /\ (fp_node n `B.loc_disjoint` fp_dll h0 d))) + (ensures (fun h0 () h1 -> + B.modifies (fp_dll h1 d) h0 h1 /\ + fp_dll h1 d `loc_equiv` B.loc_union (fp_dll h0 d) (fp_node n) /\ + dll_valid h1 d /\ node_valid h1 n /\ + as_payload_list h1 d == l_insert_at_head (as_payload_list h0 d) (g_node_val h0 n) /\ + as_list h1 d == l_insert_at_head (as_list h0 d) n)) + +val dll_insert_at_tail (#t:Type0) (d:dll t) (n:node t) : + HST.Stack unit + (requires (fun h0 -> dll_valid h0 d /\ node_valid h0 n /\ (fp_node n `B.loc_disjoint` fp_dll h0 d))) + (ensures (fun h0 () h1 -> + B.modifies (fp_dll h1 d) h0 h1 /\ + fp_dll h1 d `loc_equiv` B.loc_union (fp_dll h0 d) (fp_node n) /\ + dll_valid h1 d /\ node_valid h1 n /\ + as_payload_list h1 d == l_insert_at_tail (as_payload_list h0 d) (g_node_val h0 n) /\ + as_list h1 d == l_insert_at_tail (as_list h0 d) n)) + +// val dll_insert_before (#t:Type0) (n':node t) (d:dll t) (n:node t) : +// HST.Stack unit +// (requires (fun h0 -> dll_valid h0 d /\ node_valid h0 n /\ (fp_node n `B.loc_disjoint` fp_dll h0 d) /\ n' `L.memP` as_list h0 d)) +// (ensures (fun h0 () h1 -> +// B.modifies (fp_dll h1 d) h0 h1 /\ +// fp_dll h1 d `loc_equiv` B.loc_union (fp_dll h0 d) (fp_node n) /\ +// dll_valid h1 d /\ node_valid h1 n /\ +// as_payload_list h1 d == l_insert_before' +// (as_list h0 d `L.index_of` n') (as_payload_list h0 d) (g_node_val h0 n) /\ +// as_list h1 d == l_insert_before n' (as_list h0 d) n)) + +// val dll_insert_after (#t:Type0) (n':node t) (d:dll t) (n:node t) : +// HST.Stack unit +// (requires (fun h0 -> dll_valid h0 d /\ node_valid h0 n /\ (fp_node n `B.loc_disjoint` fp_dll h0 d) /\ n' `L.memP` as_list h0 d)) +// (ensures (fun h0 () h1 -> +// B.modifies (fp_dll h1 d) h0 h1 /\ +// fp_dll h1 d `loc_equiv` B.loc_union (fp_dll h0 d) (fp_node n) /\ +// dll_valid h1 d /\ node_valid h1 n /\ +// L.length (as_payload_list h0 d) = L.length (as_list h0 d) /\ // TODO: Why?! +// as_payload_list h1 d == l_insert_after' +// (as_list h0 d `L.index_of` n') (as_payload_list h0 d) (g_node_val h0 n) /\ +// as_list h1 d == l_insert_after n' (as_list h0 d) n)) + +unfold +let fp_strictly_disjoint_union (l l1 l2:B.loc) = + l `loc_equiv` B.loc_union l1 l2 /\ + l1 `B.loc_disjoint` l2 + +unfold +let aux_fp_split_by_node (h0 h1:HS.mem) (d:dll 'a) (n:node 'a) = + fp_strictly_disjoint_union (fp_dll h0 d) (fp_dll h1 d) (fp_node n) + +val dll_remove_head (#t:Type0) (d:dll t) : + HST.Stack unit + (requires (fun h0 -> dll_valid h0 d /\ L.length (as_list h0 d) > 0)) + (ensures (fun h0 () h1 -> + B.modifies (fp_dll h0 d) h0 h1 /\ + aux_fp_split_by_node h0 h1 d (L.hd (as_list h0 d)) /\ + dll_valid h1 d /\ + node_valid h1 (L.hd (as_list h0 d)) /\ + g_node_val h0 (L.hd (as_list h0 d)) == g_node_val h1 (L.hd (as_list h0 d)) /\ + as_payload_list h1 d == l_remove_head (as_payload_list h0 d) /\ + as_list h1 d == l_remove_head (as_list h0 d))) + +val dll_remove_tail (#t:Type0) (d:dll t) : + HST.Stack unit + (requires (fun h0 -> dll_valid h0 d /\ L.length (as_list h0 d) > 0)) + (ensures (fun h0 () h1 -> + B.modifies (fp_dll h0 d) h0 h1 /\ + aux_fp_split_by_node h0 h1 d (L.last (as_list h0 d)) /\ + dll_valid h1 d /\ + node_valid h1 (L.last (as_list h0 d)) /\ + g_node_val h0 (L.last (as_list h0 d)) == g_node_val h1 (L.last (as_list h0 d)) /\ + as_payload_list h1 d == l_remove_tail (as_payload_list h0 d) /\ + as_list h1 d == l_remove_tail (as_list h0 d))) + +// val dll_remove_mid (#t:Type0) (d:dll t) (n:node t) : +// HST.Stack unit +// (requires (fun h0 -> dll_valid h0 d /\ n `L.memP` as_list h0 d)) +// (ensures (fun h0 () h1 -> +// B.modifies (fp_dll h0 d) h0 h1 /\ +// aux_fp_split_by_node h0 h1 d n /\ +// dll_valid h1 d /\ +// g_node_val h0 n == g_node_val h1 n /\ +// L.length (as_payload_list h0 d) = L.length (as_list h0 d) /\ // TODO: Why?! +// as_payload_list h1 d == l_remove_mid' (as_payload_list h0 d) (as_list h0 d `L.index_of` n) /\ +// as_list h1 d == l_remove_mid (as_list h0 d) n)) + +val dll_append (#t:Type0) (d1 d2:dll t) : + HST.Stack unit + (requires (fun h0 -> + dll_valid h0 d1 /\ + dll_valid h0 d2 /\ + fp_dll h0 d1 `B.loc_disjoint` fp_dll h0 d2)) + (ensures (fun h0 () h1 -> + B.modifies (fp_dll h0 d1 `B.loc_union` fp_dll h0 d2) h0 h1 /\ + fp_strictly_disjoint_union (B.loc_union (fp_dll h1 d1) (fp_dll h1 d2)) + (fp_dll h0 d1) (fp_dll h0 d2) /\ + dll_valid h1 d1 /\ + as_payload_list h1 d1 == as_payload_list h0 d1 `l_append` as_payload_list h0 d2 /\ + as_list h1 d1 == as_list h0 d1 `l_append` as_list h0 d2)) + +// val dll_split_using (#t:Type0) (d1 d2:dll t) (n:node t) : +// HST.Stack unit +// (requires (fun h0 -> +// dll_valid h0 d1 /\ +// n `L.memP` as_list h0 d1 /\ +// dll_valid h0 d2 /\ +// fp_dll h0 d1 `B.loc_disjoint` fp_dll h0 d2 /\ +// as_list h0 d2 == [])) +// (ensures (fun h0 () h1 -> +// B.modifies (fp_dll h0 d1 `B.loc_union` fp_dll h0 d2) h0 h1 /\ +// fp_strictly_disjoint_union (B.loc_union (fp_dll h1 d1) (fp_dll h1 d2)) +// (fp_dll h0 d1) (fp_dll h0 d2) /\ +// dll_valid h1 d1 /\ +// dll_valid h1 d2 /\ +// (as_payload_list h1 d1, as_payload_list h1 d2) == l_split_using' (as_payload_list h0 d1) (as_list h0 d1 `L.index_of` n) /\ +// (as_list h1 d1, as_list h1 d2) == l_split_using (as_list h0 d1) n)) + +/// Automatic validity maintenance +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +val auto_dll_remains_valid_upon_staying_unchanged (h0 h1:HS.mem) (l:B.loc) (d:dll 'a) : + Lemma + (requires (dll_valid h0 d /\ + B.modifies l h0 h1 /\ + B.loc_disjoint (fp_dll h0 d) l)) + (ensures (dll_valid h1 d)) + [SMTPat (dll_valid h1 d); SMTPat (B.modifies l h0 h1)] + +val auto_node_remains_valid_upon_staying_unchanged (h0 h1:HS.mem) (l:B.loc) (n:node 'a) : + Lemma + (requires (node_valid h0 n /\ + B.modifies l h0 h1 /\ + B.loc_disjoint (fp_node n) l)) + (ensures (node_valid h1 n)) + [SMTPat (node_valid h1 n); SMTPat (B.modifies l h0 h1)] + +/// Automatic footprint maintenance +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +val auto_dll_fp_upon_staying_unchanged (h0 h1:HS.mem) (l:B.loc) (d:dll 'a) : + Lemma + (requires (dll_valid h0 d /\ + B.modifies l h0 h1 /\ + B.loc_disjoint (fp_dll h0 d) l)) + (ensures (fp_dll h1 d == fp_dll h0 d)) + [SMTPat (fp_dll h1 d); SMTPat (B.modifies l h0 h1)] + +/// Automatic value maintenance +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +val auto_dll_as_list_staying_unchanged (h0 h1:HS.mem) (l:B.loc) (d:dll 'a) : + Lemma + (requires (dll_valid h0 d /\ + B.modifies l h0 h1 /\ + B.loc_disjoint (fp_dll h0 d) l)) + (ensures (as_list h1 d == as_list h0 d)) + [SMTPat (as_list h1 d); SMTPat (B.modifies l h0 h1)] + +val auto_dll_as_payload_list_staying_unchanged (h0 h1:HS.mem) (l:B.loc) (d:dll 'a) : + Lemma + (requires (dll_valid h0 d /\ + B.modifies l h0 h1 /\ + B.loc_disjoint (fp_dll h0 d) l)) + (ensures (as_payload_list h1 d == as_payload_list h0 d)) + [SMTPat (as_payload_list h1 d); SMTPat (B.modifies l h0 h1)] + +val auto_node_val_staying_unchanged (h0 h1:HS.mem) (l:B.loc) (n:node 'a) : + Lemma + (requires (node_valid h0 n /\ + B.modifies l h0 h1 /\ + B.loc_disjoint (fp_node n) l)) + (ensures (g_node_val h1 n == g_node_val h0 n)) + [SMTPat (g_node_val h1 n); SMTPat (B.modifies l h0 h1)] + +/// Properties of nodes inside and outside lists +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +val auto_node_in_list_is_included (h0:HS.mem) (n:node 'a) (d:dll 'a) : + Lemma + (requires (dll_valid h0 d /\ + n `L.memP` as_list h0 d)) + (ensures (B.loc_includes (fp_dll h0 d) (fp_node n))) + [SMTPat (B.loc_includes (fp_dll h0 d) (fp_node n))] + +val auto_node_in_list_is_valid (h0:HS.mem) (n:node 'a) (d:dll 'a) : + Lemma + (requires (dll_valid h0 d /\ + n `L.memP` as_list h0 d)) + (ensures (node_valid h0 n)) + [SMTPat (node_valid h0 n); + SMTPat (dll_valid h0 d)] + +/// Properties related to unchanged connections +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +val auto_unchanged_node_connections_list_unchanged (h0 h1:HS.mem) (d:dll 'a) (n:node 'a) : + Lemma + (requires (dll_valid h0 d /\ + n `L.memP` as_list h0 d /\ + B.modifies (fp_node n) h0 h1 /\ + unchanged_node_connections h0 h1 n)) + (ensures (as_list h1 d == as_list h0 d)) + [SMTPat (as_list h1 d); + SMTPat (B.modifies (fp_node n) h0 h1); + SMTPat (unchanged_node_connections h0 h1 n)] + +val auto_unchanged_node_connections_dll_valid (h0 h1:HS.mem) (d:dll 'a) (n:node 'a) : + Lemma + (requires (dll_valid h0 d /\ + n `L.memP` as_list h0 d /\ + B.modifies (fp_node n) h0 h1 /\ + unchanged_node_connections h0 h1 n)) + (ensures (dll_valid h1 d)) + [SMTPat (dll_valid h1 d); + SMTPat (B.modifies (fp_node n) h0 h1); + SMTPat (unchanged_node_connections h0 h1 n)] + +/// Properties related to pushes and pops +/// +/// These are lemmas that you shouldn't really need to refer to +/// manually. If you do, it is (likely) a bug wrt the patterns, and +/// you should ask someone who knows about how this library works to +/// look at things. + +val auto_dll_push_pop (h0 h1 h2 h3:HS.mem) (d:dll 'a) : + Lemma + (requires ( + HS.fresh_frame h0 h1 /\ + B.loc_disjoint (fp_dll h2 d) (B.loc_region_only false (HS.get_tip h2)) /\ + HS.get_tip h1 == HS.get_tip h2 /\ + dll_valid h2 d /\ + HS.popped h2 h3)) + (ensures (dll_valid h3 d)) + [SMTPat (dll_valid h3 d); + SMTPat (HS.fresh_frame h0 h1); + SMTPat (HS.popped h2 h3)] + +val auto_dll_fp_push_pop (h0 h1 h2 h3:HS.mem) (d:dll 'a) : + Lemma + (requires ( + HS.fresh_frame h0 h1 /\ + B.loc_disjoint (fp_dll h2 d) (B.loc_region_only false (HS.get_tip h2)) /\ + HS.get_tip h1 == HS.get_tip h2 /\ + dll_valid h2 d /\ + HS.popped h2 h3)) + (ensures (fp_dll h3 d == fp_dll h2 d)) + [SMTPat (fp_dll h3 d); + SMTPat (HS.fresh_frame h0 h1); + SMTPat (HS.popped h2 h3)] + +val auto_dll_fp_disjoint_push (h0 h1:HS.mem) (d:dll 'a) : + Lemma + (requires ( + HS.fresh_frame h0 h1 /\ + dll_valid h0 d)) + (ensures ( + B.loc_disjoint (fp_dll h1 d) (B.loc_region_only false (HS.get_tip h1)))) + [SMTPat (B.loc_disjoint (fp_dll h1 d) (B.loc_region_only false (HS.get_tip h1))); + SMTPat (HS.fresh_frame h0 h1)] \ No newline at end of file diff --git a/milli/doubly-linked-list/FstarlowstarMain.fst b/milli/doubly-linked-list/FstarlowstarMain.fst new file mode 100644 index 0000000..ef50dc6 --- /dev/null +++ b/milli/doubly-linked-list/FstarlowstarMain.fst @@ -0,0 +1,43 @@ +module FstarlowstarMain +open LowStar.BufferOps + +module DLL = FstarlowstarIface + +module B = LowStar.Buffer +module HS = FStar.HyperStack +module HST = FStar.HyperStack.ST +module G = FStar.Ghost +module L = FStar.List.Tot +module U32 = FStar.UInt32 +module MO = LowStar.Modifies + +open FStar.HyperStack.ST + +// A lower rlimit works, but give it more so that we can test scaling +#push-options "--z3rlimit 1000 --fuel 0 --ifuel 0" + +val main2: unit -> ST (Prims.unit) (fun _ -> true) (fun _ _ _ -> true) + +let main2 () = + HST.push_frame (); + let d1 : DLL.dll UInt32.t = DLL.dll_new () in + let d2 : DLL.dll UInt32.t = DLL.dll_new () in + let d3 : DLL.dll UInt32.t = DLL.dll_new () in + let d4 : DLL.dll UInt32.t = DLL.dll_new () in + let n1_0 = DLL.node_of 0ul in + let n1_1 = DLL.node_of 1ul in + let n2_0 = DLL.node_of 0ul in + let n2_1 = DLL.node_of 1ul in + let n3_0 = DLL.node_of 0ul in + let n3_1 = DLL.node_of 1ul in + let n4_0 = DLL.node_of 0ul in + let n4_1 = DLL.node_of 1ul in + DLL.dll_insert_at_tail d1 n1_0; + DLL.dll_insert_at_tail d1 n1_1; + DLL.dll_insert_at_tail d2 n2_0; + DLL.dll_insert_at_tail d2 n2_1; + DLL.dll_insert_at_tail d3 n3_0; + DLL.dll_insert_at_tail d3 n3_1; + DLL.dll_insert_at_tail d4 n4_0; + DLL.dll_insert_at_tail d4 n4_1; + HST.pop_frame () diff --git a/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot.mlcfg b/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot.mlcfg new file mode 100644 index 0000000..881da0c --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot.mlcfg @@ -0,0 +1,5471 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"/root/creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 4 16 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 4 16 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + + val map_set_commute [#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 4 16 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 14 15 14 23] k1 <> k2} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 33 16 34] Inv0.inv x} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 51 16 53] Inv1.inv k1} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 58 16 60] Inv1.inv k2} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 65 16 67] Inv2.inv v1} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 72 16 74] Inv2.inv v2} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 15 14 15 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 14 15 14 23] k1 <> k2) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 33 16 34] Inv0.inv x) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 51 16 53] Inv1.inv k1) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 58 16 60] Inv1.inv k2) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 65 16 67] Inv2.inv v1) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 72 16 74] Inv2.inv v2) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 15 14 15 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 4 16 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + + = + [#"/root/milli/creusot/cargo-dir/src/lib.rs" 12 4 12 10] () + val map_set_commute [#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 4 16 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 14 15 14 23] k1 <> k2} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 33 16 34] Inv0.inv x} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 51 16 53] Inv1.inv k1} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 58 16 60] Inv1.inv k2} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 65 16 67] Inv2.inv v1} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 72 16 74] Inv2.inv v2} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 15 14 15 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 14 15 14 23] k1 <> k2) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 33 16 34] Inv0.inv x) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 51 16 53] Inv1.inv k1) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 58 16 60] Inv1.inv k2) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 65 16 67] Inv2.inv v1) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 72 16 74] Inv2.inv v2) -> ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 15 14 15 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 4 16 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 14 15 14 23] k1 <> k2} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 33 16 34] Inv0.inv x} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 51 16 53] Inv1.inv k1} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 58 16 60] Inv1.inv k2} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 65 16 67] Inv2.inv v1} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 16 72 16 74] Inv2.inv v2} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 15 14 15 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"/root/milli/creusot/cargo-dir/src/lib.rs" 12 4 12 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 129 4 129 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 131 4 131 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 131 4 131 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 129 4 129 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 129 4 129 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 131 4 131 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 131 4 131 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 129 4 129 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"/root/creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 227 8 227 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 227 8 227 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 227 8 227 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 226 19 226 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 227 8 227 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"/root/milli/creusot/cargo-dir/src/lib.rs" 224 8 224 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 227 8 227 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 226 19 226 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 227 8 227 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 226 19 226 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"/root/milli/creusot/cargo-dir/src/lib.rs" 224 8 224 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 238 8 238 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 238 8 238 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 238 8 238 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 237 19 237 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 238 8 238 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"/root/milli/creusot/cargo-dir/src/lib.rs" 235 8 235 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 238 8 238 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 237 19 237 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"/root/milli/creusot/cargo-dir/src/lib.rs" 238 8 238 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 237 19 237 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"/root/milli/creusot/cargo-dir/src/lib.rs" 235 8 235 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"/root/creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"/root/creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"/root/creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"/root/creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"/root/creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"/root/creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"/root/creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"/root/creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"/root/creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"/root/creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"/root/creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"/root/creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"/root/creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"/root/creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"/root/creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"/root/creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"/root/creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"/root/creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"/root/creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"/root/creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"/root/creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"/root/creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"/root/milli/creusot/cargo-dir/src/lib.rs" 249 8 249 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"/root/milli/creusot/cargo-dir/src/lib.rs" 249 8 249 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"/root/milli/creusot/cargo-dir/src/lib.rs" 249 8 249 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 248 19 248 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"/root/milli/creusot/cargo-dir/src/lib.rs" 249 8 249 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"/root/milli/creusot/cargo-dir/src/lib.rs" 246 8 246 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"/root/milli/creusot/cargo-dir/src/lib.rs" 249 8 249 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 248 19 248 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"/root/milli/creusot/cargo-dir/src/lib.rs" 249 8 249 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 248 19 248 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"/root/milli/creusot/cargo-dir/src/lib.rs" 246 8 246 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"/root/milli/creusot/cargo-dir/src/lib.rs" 257 8 257 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"/root/milli/creusot/cargo-dir/src/lib.rs" 257 8 257 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + + val invariant' [#"/root/milli/creusot/cargo-dir/src/lib.rs" 257 8 257 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"/root/milli/creusot/cargo-dir/src/lib.rs" 257 8 257 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + + = + [#"/root/milli/creusot/cargo-dir/src/lib.rs" 258 12 267 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"/root/milli/creusot/cargo-dir/src/lib.rs" 257 8 257 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"/root/milli/creusot/cargo-dir/src/lib.rs" 272 8 272 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"/root/milli/creusot/cargo-dir/src/lib.rs" 272 8 272 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + + val model [#"/root/milli/creusot/cargo-dir/src/lib.rs" 272 8 272 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"/root/milli/creusot/cargo-dir/src/lib.rs" 272 8 272 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + + = + [#"/root/milli/creusot/cargo-dir/src/lib.rs" 274 16 275 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"/root/milli/creusot/cargo-dir/src/lib.rs" 272 8 272 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 169 22 169 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"/root/milli/creusot/cargo-dir/src/lib.rs" 293 8 293 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 291 18 291 36] Invariant0.invariant' result } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 292 18 292 46] Model0.model result = Seq.empty } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 293 24 293 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"/root/milli/creusot/cargo-dir/src/lib.rs" 293 8 293 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 291 18 291 36] Invariant0.invariant' result } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 292 18 292 46] Model0.model result = Seq.empty } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 293 24 293 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 296 22 296 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 297 22 297 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 298 23 298 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 300 26 300 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"/root/creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"/root/creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"/root/creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"/root/creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"/root/creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"/root/creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"/root/creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 58 29 58 33] Inv0.inv self} + requires {[#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 58 35 58 38] Inv1.inv val'} + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 57 14 57 46] result <> NullLogic0.null_logic () } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"/root/milli/creusot/cargo-dir/src/lib.rs" 306 8 306 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 306 25 306 26] Inv0.inv v} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 304 18 304 36] Invariant0.invariant' result } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 305 18 305 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 306 34 306 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv, + predicate Inv6.inv = Inv0.inv, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"/root/milli/creusot/cargo-dir/src/lib.rs" 306 8 306 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 306 25 306 26] Inv1.inv v} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 304 18 304 36] Invariant0.invariant' result } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 305 18 305 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 306 34 306 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 308 28 308 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 312 22 312 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 314 22 314 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 318 22 318 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"/root/creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 160 18 160 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 106 4 106 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 109 27 109 31] Inv0.inv self} + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 108 14 108 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 109 4 109 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"/root/creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 95 4 95 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 98 27 98 31] Inv0.inv self} + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 97 14 97 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 98 4 98 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"/root/milli/creusot/cargo-dir/src/lib.rs" 328 8 328 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 324 19 324 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 325 19 325 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 328 30 328 34] Inv0.inv self} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 326 18 326 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 327 18 327 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 328 39 328 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"/root/milli/creusot/cargo-dir/src/lib.rs" 328 8 328 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 324 19 324 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 325 19 325 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 328 30 328 34] Inv3.inv self} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 326 18 326 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 327 18 327 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 328 39 328 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 329 33 329 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 330 12 330 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 331 15 331 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 334 30 334 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 335 30 335 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 336 16 336 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 337 27 337 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 338 16 338 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 339 16 339 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 341 19 341 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 342 32 342 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 343 32 343 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 345 34 345 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 346 20 346 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 347 34 347 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 348 20 348 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 349 34 349 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 350 35 350 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 351 36 351 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 352 32 352 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 353 20 353 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 354 20 354 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 357 30 357 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"/root/milli/creusot/cargo-dir/src/lib.rs" 366 8 366 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 362 19 362 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 363 19 363 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 366 29 366 33] Inv0.inv self} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 364 18 364 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 365 18 365 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 366 38 366 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"/root/milli/creusot/cargo-dir/src/lib.rs" 366 8 366 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 362 19 362 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 363 19 363 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 366 29 366 33] Inv3.inv self} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 364 18 364 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 365 18 365 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 366 38 366 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 367 33 367 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 368 12 368 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 369 15 369 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 372 27 372 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 373 16 373 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 374 16 374 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 376 19 376 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 377 32 377 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 379 34 379 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 380 20 380 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 381 34 381 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 382 20 382 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 383 34 383 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 384 35 384 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 385 36 385 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 387 28 387 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 388 16 388 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"/root/creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 118 22 118 26] Inv0.inv self} + requires {[#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 118 28 118 34] Inv1.inv _other} + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 114 4 114 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 117 14 117 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"/root/milli/creusot/cargo-dir/src/lib.rs" 397 8 397 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 393 19 393 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 394 19 394 36] Invariant0.invariant' other} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 397 27 397 31] Inv0.inv self} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 397 37 397 42] Inv1.inv other} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 395 18 395 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 396 18 396 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"/root/milli/creusot/cargo-dir/src/lib.rs" 397 8 397 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 393 19 393 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 394 19 394 36] Invariant0.invariant' other} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 397 27 397 31] Inv3.inv self} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 397 37 397 42] Inv2.inv other} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 395 18 395 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 396 18 396 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 398 27 398 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 399 28 399 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 400 15 400 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 402 23 402 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 403 27 403 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 405 27 405 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 408 16 408 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 410 28 410 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 411 16 411 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 413 16 415 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 416 16 418 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 419 30 420 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 421 30 422 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 423 30 423 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 424 30 424 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 426 16 426 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 427 16 427 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"/root/milli/creusot/cargo-dir/src/lib.rs" 434 8 434 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 431 19 431 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 434 30 434 34] Inv0.inv self} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 434 36 434 39] Inv1.inv val'} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 432 18 432 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 433 18 433 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"/root/milli/creusot/cargo-dir/src/lib.rs" 434 8 434 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 431 19 431 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 434 30 434 34] Inv1.inv self} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 434 36 434 39] Inv2.inv val'} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 432 18 432 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 433 18 433 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 435 24 435 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 435 12 435 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {[#"/rustc/5bd28f5eac1ba3569bfa8d49ec3f5acbdfdff7a0/library/core/src/mem/mod.rs" 726 21 726 22] Inv0.inv x} + requires {[#"/rustc/5bd28f5eac1ba3569bfa8d49ec3f5acbdfdff7a0/library/core/src/mem/mod.rs" 726 32 726 33] Inv0.inv y} + ensures { [#"/root/creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"/root/creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"/root/milli/creusot/cargo-dir/src/lib.rs" 441 8 441 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 438 19 438 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 441 31 441 35] Inv0.inv self} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 441 37 441 40] Inv1.inv val'} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 439 18 439 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 440 18 440 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"/root/milli/creusot/cargo-dir/src/lib.rs" 441 8 441 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 438 19 438 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 441 31 441 35] Inv1.inv self} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 441 37 441 40] Inv2.inv val'} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 439 18 439 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 440 18 440 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 442 27 442 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 443 12 443 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 444 12 444 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"/root/milli/creusot/cargo-dir/src/lib.rs" 470 8 470 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"/root/milli/creusot/cargo-dir/src/lib.rs" 470 8 470 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + + val invariant' [#"/root/milli/creusot/cargo-dir/src/lib.rs" 470 8 470 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"/root/milli/creusot/cargo-dir/src/lib.rs" 470 8 470 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + + = + [#"/root/milli/creusot/cargo-dir/src/lib.rs" 471 12 481 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"/root/milli/creusot/cargo-dir/src/lib.rs" 470 8 470 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"/root/milli/creusot/cargo-dir/src/lib.rs" 452 8 452 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 447 19 447 38] Invariant0.invariant' self} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 448 19 448 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 452 21 452 25] Inv0.inv self} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 449 18 449 36] Invariant1.invariant' result } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 452 30 452 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"/root/milli/creusot/cargo-dir/src/lib.rs" 452 8 452 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 447 19 447 38] Invariant0.invariant' self} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 448 19 448 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 452 21 452 25] Inv1.inv self} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 449 18 449 36] Invariant1.invariant' result } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 452 30 452 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 456 23 456 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"/root/creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 66 4 66 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 68 23 68 27] Inv0.inv self} + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 67 14 67 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"/root/creusot/creusot-contracts/src/ghost_ptr.rs" 68 4 68 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"/root/milli/creusot/cargo-dir/src/lib.rs" 506 8 506 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 496 19 496 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 506 25 506 29] Inv0.inv self} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 497 18 497 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 498 18 501 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 502 18 505 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 506 34 506 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"/root/milli/creusot/cargo-dir/src/lib.rs" 506 8 506 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 496 19 496 38] Invariant0.invariant' ( * self)} + requires {[#"/root/milli/creusot/cargo-dir/src/lib.rs" 506 25 506 29] Inv0.inv self} + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 497 18 497 37] Invariant0.invariant' ( ^ self) } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 498 18 501 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 502 18 505 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"/root/milli/creusot/cargo-dir/src/lib.rs" 506 34 506 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 507 12 507 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 508 15 508 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"/root/milli/creusot/cargo-dir/src/lib.rs" 512 12 512 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 513 23 513 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"/root/milli/creusot/cargo-dir/src/lib.rs" 515 25 515 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3session.xml b/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3session.xml new file mode 100644 index 0000000..34b6492 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3session.xml @@ -0,0 +1,513 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3session.xml.bak b/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3session.xml.bak new file mode 100644 index 0000000..5e89b8d --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3session.xml.bak @@ -0,0 +1,568 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..ef8bb8f7f216f63ff843a521db87d335932ea6bc GIT binary patch literal 11370 zcmV-wES1wAiwFP!00000|LuKQZ(TW(=DUA|-+Cq!4RBuu<;Dn!60U(ly-edira&H& znVNE1ZdaCqU!5uw)T^q4i^^dt~ z4e9=`x@xV-tG|a=D6OwwY=3!K?%u!rBfPsoJ2&0kAAfwj&wamgD+dtNR#gywx%oeL zf8_A-?Z4iKcj&Y=J>I|WJA6$YXq5i@-P>F%{_&6S&)fVjz}=t{{q5`4k-2_>Dxtf3 zdyfYn0#Nkk&E3Cl{fv=g_Pd+ z_kMP>D0dCO{^Qk_^NvxKx9IBT-TVB{@aFFBA0OW>VF+(--~J<~H@6?|Z|?8@k>74P z0|+U9>RX<@e|P`>174%$K<(Y!m3DVE?{5E4AJ|R9$Y1F4O@8~^{qLyrHoxCfdW2z| z`+t?z)9&U zf1_rAh5!8c?oDR(xjyh510LGvmGKuOa^u>ou?CF>PpRbn@3$WS$=~X{{|)m_oueN# zSqosMY8$oO(7}ff`Tad4QSF=6ceT;*{x-b5|2I5)@$T-!J%*WXhjKkAYzAfbK8O2! zlmMwhd4KoEO?jJ9<9}~CkgOW(rEnk4V?Ao+2v6WO8oeGNqZy_#^i%Dx2Jms+7rL4a z7f(TA`2Uu>>(?X7a5om-eO7C@1?Jn>wj5pB>-yeqxw-Bso13fk#NydvVp}CWqlNZl z4>h$Ha?gu_%hAX#gG0wO)i6G2`h!;n=ld9ZkO@75i=I=&Q3jtwyp?kXSCzpR0zj@9 zTpwU?c|Gy387|Gl>wMyMJMp@xygo<+KI&LknYCSG=4Bgn_(#6^aQpvqsxzs2WGx=Q z?#W8cB#53Qh^`G)c>%nD&oIlC5?oc@6^Zr9Fg5eW-BmAr)>UgSX0As1MhLZsD*fD7 z>+1CGuUUoHs^T!hc0mt^!I?>za=#Llg6)V(!48W`K@zymgH$sHlPY|;ef!&+e1G?L zE0%mJNfl6u1=mSl|A8cZLSxo!Se5Cw#rE zqeVSYr46-#va&rj73C=dgDkrSA+d&jHl*~)sR&;=%|GmHH_#7*(`V1@cx;-YuVE>9yx6shk zcq54w=dPVFm2G`50OpUI+@P1e9G0xV=%0+D0T*owAPh{i)#=^!!l?TR4ZkTM-oaq& zMNfU)HEW5pzR;`s_vW|XVFupZy-C$38Cs|VSrvG3|KIQO%dxu`gG5~y8=mvI`Ri}P zb$Ih3SM1WvO!nRHIi$Yh1GckobzdB=cg%F0hW{VO4cV#S*{<9r{nw#W+dqXH@X3Lu zT7lZ=!sh=JKJoBLgimsqIv(QP`}cSM%IV)Al=c?>wf0nQ--b7{iS3^s8RiazGh8>% z^aZ@&ne))>@z&-_Z`P(7BVE!x@etaMhc|>81<$tXmPJ|(5Izy?$7~^X|XXBMUKAM(jt^7pxMk{nm zKp$>*uew3;{eId}2!9>nX#?i7ds^-@`)PhQjOLC3iBQroo<8w9&f)c1TQAB|^9|)w zr@a*=W{cQUXM7DLA1lcDGlJY!%dT?Se|^kvyL^->Wp{kNd5-!4cS};@kS-kJ1rEk1 z?grvhM~JVlL7<|>jQHd@Ds=!3H8*P2SX>YH5Txt^6{BWiVy`IqIouLsu4IX#F4oVs z60X9D)=;J+aZgJc=YUr=14HTSLEsLO=4RhA#(A7iReMpfWPECsKQ;A?+(UG67WMQz z1W<{R_EC>GJl)m3Xh<9jS5vvX`1tmH4&Cn|zR54&-QB|F`KA50o@&0;jMTekm#BA5 z?(l9){4~*M-iSt@g>2pvjppcYF~)wSm<>0h1UcByDbHi8%obb>PTnd%C#Gd7{5R;W zs|Uy^aUPY4t4VqcGVy99H?Jm%u}{uk%_R690lrmo3!SnnzWGp~4s?8abx4(5Ei}d5 z0Oj4Db;wf+?vA5Ot@u;8J4d(PRj^R)fU$BlHvk3_IBaZgrQa&HReZ;kkcWssHoO27 z(ZekcnLM@VAsv3&s;biVQloFt@ZeUqy{&3a{|4)|HL#Cgn@@McR<%a=bT9>)%RW3F z2q@gi;YIa_>$?}vV(3{6J&U0~w;1XP#`Gd#z7G6rzu32Hk*c~1q0YB8IZ9ve$SMwB zQNUmnd{<|#SEpa>k!M8I1g|;^UfIK|)UG^3OZv1tQ@Y7B zrO)pV6sFhmOwQ$*JSorQK+K1&^q!KdJd-n0R)R&e0e7AR=OWso~ga^ z?699h+usr#tan#v4l1=Bz8zM1cDYszZ@`9+P0ao5O7JQ>pO`Q7M9(MYGcZpsGEl#j z<|4e$g<_BQiE~D&?J1Dym$s$d2TIJvCW-4I1OYf0q6y?8aH77O#W?tWKVSN*;i5)8 z_>sdL27{TnzMfdBE?Cs)i_ui2m4-2pvVX9)cWeB`)j5S;@A}VMYqr*sl(+W8e4%JB z;;mhX_}YeB%XeCA{~6DlOt{O~H z7|%Tt`LFeb-Wv7S0RW@+McZh5KpNxC)<~3S_0ZX=UBXu5uYcQ>#1+%M7)GfI+Yyse zyRG(H!y0&P=vwWaLak~LoZV{k*9N9Gdkj0OzQ>dt0&Cvgy}K#z?`X6A_#QgU$ib32 zv`&4)5AGvewxi6|{vBn0WOras{}aS~u|3e5+0o9ZeP|Q;aKmSAA|Gqu%uVDYO`N^^ z+oDoV`q2;Bw|dA{@7dsd$sJ)}>U=ERw!; z41uX(2up3DIc|t^^zFj8;PV!l*26_{X+31Tk1^YcKvP55mD-6}(?fh2Z}DYAe43f! z(|WjuaI`UE%P!;A+z{0zDHyt;Dh%OYek<5k@ZnGZA7YQjPNtC1zDkXaqUge($B?RJ zsM!=$HMFYsg;K3r)h%qQwW$|TZ}r`xK|3@!96b@cA$Sx;>4*5M7A!_j_JrW|F<5-K z7{jw<3%Ghkmc=}1nXe+)@cKY_Grv9>Jtvnz)p8L%C+YMdMN5$9CIzq_3?8dXYUx0Dd(v0-W*X*{8aC zRhR5Et=i2W(}VW1kBd`wxEMyR^l+j2068Tahb!{UA0jK2n`EVO-Mn>fRz2wDB>)G=U_C77@|@Ba^^zq(?kGWh|?Mcw2oal zuMyEbU`S^Lr<~pYzDStG+tjbC{B?w99s+E z9geG^*9YTjsOe9muQGMIjH{_ZaZ_h}4dl4jHdX82T&+sZmd5tAd^Ll4{}v8GOl!|e zfOnTX>(i@4$h%tL=ERcc@hQD*$+K42UGki}LRWMCIb#=ZzJ+t<(p$reIb#b)Ts@Ig zx_qbS5k&CLmdIuBKTVA0)!A{QP4ND5dfnnisA@vGi#CE6hozdF@)xZ>^NwBQ&F_!# z-3j?Wrnaasf%!=;4XG0WbaEa*Cs$E~y-2)#{PNuK%We!$Jtsnt#{#NiEGW7^5cl9gBSN%V~Ba zxl)IB{+`fCVHNln&t}E5S@CRE{F%*)MXb6!J4RjZEC{c`K6nk^1= zy#@K}kv+S$6ggP-?_U6dW1`_e^*KRd+t15 zt*H>&ta8hVb3f+un3FBo?=W{!!_ioaE%3H_PYq{pqPRAETZ+kT$nSIdgDXE}xFs59eo`b`Vk&$t>cDC9)o%GouHWa^f(zdCIXRco_mkj0Bx-rK;d?2HQ}`kr;z*>~4Y=3Z*$@u;UHI zA^qCdLucYtuuZM847O=DFpx6^+n5?HC65H#^dUyRf!D_w?Tg*U(-v(+VMu*Qklq(- zW8^y4rU%R%joF?D z`=k27&q@qQXvT}0z%AW=_`h@vvTvo|hMpHv40L9{!O}RmJdnY zJcW-9FQ%k2)00-Mwo&U%z0d;0@M@NJX7&tD7w4aodWQ2U_sk8~Cz|Sk+~1O3A2V$* z{(bSXMe4aP6shOdk$Sd0KDynw>iuAxo@>yawbgjI&HcfChf=K_h3?ldZZo@fBK z?r~KQ?;h@E31}1hX;>^evXeONBD&#vT)-Qb(|@XqkUMic@k#A&IjwdXzF&*1Hw=a{ zlypZ-6E2Q~0q`{_(|DKjE&Aozvr;x3Y;u2sAaQWI55x9r7?U-)Fyv|I!5e*lKKTFi z@<SsgB-!#`m|atwoaEaD|WZgT4J_=Has|# za|N{e2}<=7bmJ#6rY<`O*bkN1o5Ko9+gmPhQtN_*@PbY6w0zUm*B= z^lj7-d~QB3_*@Rb=V}N(H(w<9Tn-m%$_+YX`?M5C-k&p&!;yl1akDv_av)*R!og?m zU0om>l8ufRX5rq|GE$KQ`f}X1zUjBHh)KuK2u33c}jt)D*n}3OV#74a`{DIQzsSJ znTP9_=kT9MfvL8J)WkI{lJ}HDCk6T`pHJ)T@%)GYJ-$BoY*BkYEIzd0q$b~YqkH$+ z^2_?+_=fws@I^f}Eqhr9m7R~dZeM&vm-hD1QS~$enc6R7QM%<_8ks-7o#k1s()D^m z&(omgu_yUaM^X2b9&H%YzSYGnJMCkgv8z8-9v5HEXTnwGqXXP2`-Pc(r~S)${qu(N zSKWy>1aBF_krJwVx#T_CBx#H4=Z$^48V&^G;}jiGMs|D|?ufruH> zD)BKQ;({-fJxnEBOlS`P>vQzsgRHV?(f!dTxMLUh@)@++$5%Z%OHjndqp`$!K_UBD zLb(T=YCXjYt<2>dP#1*yo&WIeU4EM$k6j-MWB(<>hqv%peDv@k5g^Y)TC4pZj_@uI zUVl_R-_7U!Ai8^u5nTkvxWfIIBAYf`zW_G2^iWkXpr@}G4mk1da$kiZ^G4n2fx zcVy6o^fjx$yCk$5VJ%)Cu2J8fm#pHDkGjZOvB&w_8ST%fPrvMP)D547736hXRO@V= ztc*<|7h^ET_+;E&Uqx;+Q7w!v}3`RbV9K0KWf^u9#Y zPAL7%gFP#X{(uK7uZIsJ{BpmWLYxwWpWL%Q8&F+?08TZyA5d-fW;nOU7(mzMNB!{S zM{W0XdZ}>QssC`>@nW@eJhjbN_LLv4f=*@Z`O%k7t{!8J;l=Hr^2E(apI{qhT=WTyCus5j;-6n?-csyDyO@1 zIUQ9-9(Q)#%ehUgt6kLh12~%cILTl@-$VJB0w~XG|3RF43j7H_mtgXttV-Q{d1x+V z%yTimb!YDYo=YTXva-x_->)9FU!1fb5776A?%K@|dNUR#JWWOEuEi}2yEgs{ln#qKePP@%9-QfPx!e6lMk0Or_xbB1e%NG%y}5!`m^Jx2+O-CD%7@}OA+ARuF1~cClbxN6?Zm@cK!hdO}{;j{^Y)UGdfW*F!IqHed~`ydKjjeEjhHkWXPf z1#^IB^RYVx_tPW@H%9Va4Ht_kfOeeg6g%h?vDPWJpMw64S*e|Mji1I35Y)Keg$l@jI$L;Cj61PuNswYT_87 z*U$F-cR%?tv2f1F~L!$AWbKz*MX95E7ZT?rsX4A-r zBSt+CW-c`N$Z`X)wmx}PGi%7}S=Hm&>uQ>gIoy0c#@qWA)I7+?QKYuJL7?vc3Q8|Y z7w6#Q&Ox{)P3r--A&bbE62sLmp^WJ<_ybR+X&O?^aH5t))(7I$p#yQ^dX|}EO5Z`B zVllJK9Q~2C;S&@@r@qlUalq_xeb8Qx=g5YO)mKwUmiJ$#0DJts32VWIBV6EHN;uf& zmZs~b>Q-Vm8GhbWM)@u6h!+r+SQJ%&8>Y-;PGV^F4Od zd}ipn`}qES-~8l2pRM#hfRaJ{02*ZqfPdVx)&l_#iSt3=HwN7m>drm3eF zFS;C=NZ!WIfn1|9vJ1gxTe4TO)7?w8ksGn$8}_0&?^Db?<_^l08>wxVVl*c3P6rcT za=zhg<2P<&H)f;zYTP9so#(D7#&r=TrO7Ygjj$VGHUe#_jR4eQBlxLyS+TCjz+#uP zPST2GEjOijXN^xqzLb0;*+%#WwVs8`zKbenqYX=)*HJpBOR`;;d5N`k@fjTm9=sEo z+bEUL+$b+YR!YQxe~~xvji;h*fR z>Pph0E7B%rQKf&ZIs+7u~B@Z*hcz|bQ@{Wu+Ig|14~;alZ9m5>CRZ$IVVLFti0qFJYm_! ziVd!CVf@CpjRAw0jnNyUHb!oY*ciSsY@_`~yN$LR4gS$13kB0TFHKhph&~w|Gs`(* zsuO*hS@V|`EN3^?Y^>f`wXyOuJ2WmP%Zp{KgIq|$fae3|9-JbSWsl4PdH(p3=j zV?zP`$Gz~DX=jpzp`yKznU&HpqntM{J>Ph?aS*xy$8MZ?0-$2hj>V`UzCr!I;{x(W z`y?171R$$GiKmAviB4u~9ZOydULbXajKRZAvNJt&Y?N?L)!6T!$C$}&=>(5C)tK?Zb&_K8>Q70WbZZ*?hu?9W=hDQJ+A;YlD!e-c% z4i*{{0=6McRU2aAZ3N;QABA?7!*&u$cM*ms?Aij2rD6QQW;eddW=>WTnMq_Pk)cGE z(lF9`03OA_>x+o5b%aY_8rj}M#U{h%+WB*V~SmHb<{BZIh+6v z`=7%B;KYaU0)9Mfqy%49Kx7)@RSYb_;U+sTas|KCG#LuNgTrIyaGALzCrAE?FhnkT zVOC3?!2hX}(P^bLk&0(Jg$YBtT2EZMKN*H#_(F|Yorb5sFU3Zcinmtl(~y~`;V|hF7abgW3(pkBd(O1- zX(4J|utC;UN^Zp0LStejBw7@d3{IR;oi8E=CxG7IqBsw_CqiX##v4{(!GQQQbB+O| zWMmW!(2BGdSVKQG0c+%UqHH>4yzNBvpd02G<5qDIdC*M4?RIkiXz3Z7O^yE(s_AFU zJ=nnUQ2MIV@YNwuN&2hk0&@!Ywj{H_oawcZu`3QU-=Lub!4_QNaM?{~Kn2BOK%MkP zGWY?p=?k>{^+d7Lju{c9%S=mK$h?HhDl~ePUT|6xWE(-fex5JPVO7Bwf^TRY%h435 zbI+nk*@l?AFTUMj70gMVI%Ta0j3p}s`huYuVAeU$>(T0lg)c3P`(DBJ_kv1ODMyF<~Fko zcSh50iqK%GVR0Qyg&+O3RYD1p-CqmnRCIA&VM@T_2g`SgW$(EUDx2bD^}YoZ%Qppd z&=KAm7rBeZM9~3o*1;==;$Vf#d=O}8MnRhKVL%H`P0(N3pyv3Y3n)}UlM00@pmqeK zum_Zb+5tb|M?2ZHm5uI*lRWw%R)Rv}&`5Ch@I$A>{T}5U?RgW&p`0U@BXHFVA4-;8 zfzcbZ@+|o-5urin!$s0O&G$gQskth#OTw!HR>gQ>92ss4hwB6dO+H?mEAedt4;RnU zelcdtak!(31;C|)b3!xWSp!~vy91EH7gxB6T8S=rFN5ir@=$`oGM9QzQQ!6;e6kE| z>(Psb;|(jKgNTwvNu`_>o;0VRFcOL*A>)|%l%h$#^?{Yn_-rsmNrz%nVicj_phgOm zM@*#+%zb|Yvns?`LMTSS{4LhQ=*@{tV3_T&>_2N@->(q2!g)v#rz8v&&%l;4!P+l5 zYvG-i6)hAJ^*s_ZcO5G(8wIQdVSy8GMaO)C;cKL;yIn%k4+E1xG6e`q3i!gH;OYv= zzrR77l9Yyr3UeM~kg%m0%u`tRPQr#te72DNSOy$qVN%dX#>YzJ4>z=i!92{NS?*8V@J^L+tU=9et;CDD3t#`IK7j}Dp(>~S)Z+x z8F&u16gYfv-=jG>Xl3gvUK_Oj@kC)4LBOSm$Y7);#+>6M4US;| zRH5k|2CK!lGr+`i?t-CkS%?DbVG)235@*&i3S=Gj$pjh_w606Q8}>Ei3AAu>&ZexS zRVv010%t7b0x!}hfV$eI`UXIj&JT2Yi~ zhycLm2WE%Bjma5(`0NVQI;|IZZA7O#skD`i9oUbJ1X`D57(I8qIA)U5*1D29VT)(p z_ej8C=`hWYii9jhmy_onkQ6xnGIt5~JZ#6ngW#zlLH^iCfC7(noGs8{GaF%sbQxA* z2Se9}oTp%(eq&dl>k$D~e_u8tW-CGE6~i&#!3EFYFa&2(P#u$uw;6Zen(>8hm|)sy zUt-8`JAwo17*|GWCtUh0upiw3lM&XfuS+pm6*?=KAaFBmbPXGw`~A@WU~Fccj5*Q4 z1{j~PoCO37DGHz=QYbg-}s%bArVh3FDwYviyd0!(f=hl<&a zB8v2Y$pa=@N%w%sVLT2K0PG5fiE)|^01Jnr4n=`&g52@h;dc1*C3j91siQWmgGa}W zw9fm8F0`r3n4W%U)1xtun!ar=e1YyM1OxU`7lo%&qCCMf&OiW+iQs6@5#2+R;74bt z{bPa>Gvg^+mR%=kMcb;*K(^3%We47m4HE{S&`;y1@S~&Y;;BI7S$E09^I|f%s5GQM ze6Nsvq}`RG8;As&{o0@ku9FB+`z(@>rOPZD&{lwtEIS(n?fys(a5(*CBoHJ7r)2JH zL99A0Jbb#kStUa(O2UfEf_crea=Jk*zcHv|a>XQWEI5c6pXhk5$#n~ys}Sn}BqW z2{9m89p#F*k4k(?|9_V2kQgNOeU!B2*6Y-1@c-kkvmy;yd~w|padM0fddw% zq~tNMFn>&p6xfW)1j{>Rr48B{+OG|{M9nC;v0>!Th7}h}($PSvBuBYuf?{1U+9lXv zNv0;V(Fp7>`~V(oPpQP82t$TWN-O0ev&Q5a7%wTD`*F?fKfgZSZv`5NP&Yg#S5p75v z93c*jTA!S47?#f%{tOz1lLOf*C?%ej9SApwppz}y`6S{lhS^~ZJ4!L;ejp4>st!y_ zU{V5&($Ogl8;&mb@2`DV941kdrII z6>`rwb2Sk{XVzGjw4nGbVIEt;!Oy)2FiwEr6`3l z?WBS;>$na>Bm;BLQ}g6gV}f$3gJl_VQkrXDpn-$Wv}p%TFieeqo|-408b`;iVo4dO z7H|d_^IezWpXFj899dHx=2=mH88?`Bl>a@`(z2!_ojRM~OcVe$@aAwSK>dvEFB0TY zk}e?zr!D0+v{uL%T_{X;(lD!<*x_P@?q|{SG@>Ub4gWTDNvOgzWdSi>FqsscCw98G zrMP^ap0BewWCKa7Oq*dvspz7lZ~w$DaYaXU`{_~7)AMx{w^puzeVj&3-+AwLjI4X-;6 zrh^-)g@W%Wa*UonMull$r3x%XXZ;>eX3{z{`t4%Ynm!WhRT7+YkSoMEvwQ)<)62~u zwB`ktZKefS3-d_uVxW+fGR{b|#L&|#yvQYtH~Qj}j?P3{h@{lTG5KKn^SBduUrm0Z zi~#p|B}?GK13F+5R(=jplp!tY?Awu{op&DW!DNU3ymj1Cx*~0OCm44rEW!Tjax^&l zSW1AGYqQH*MxBMWSu5CU!TTkxKFiWC9d{oE^CktBG*L$`CR&|>bG~!1mfcH*DhlXO zbU@ls{^m#hs zXl>H;E!Vv+ptEN8wKhUl8HP;pa0Bv3>#sB~S literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3shapes.gz.bak b/milli/doubly-linked-list/creusot-sessions/doubly-linked-list-oneshot/why3shapes.gz.bak new file mode 100644 index 0000000000000000000000000000000000000000..f9c64019ef9cbff5cde249e18844a00fa662a106 GIT binary patch literal 12859 zcmV-BGQ`aviwFP!00000|LuL(Ze7Q+;JdzpZ+FJV0Xm0)buol-h%LZ4FLSXUO?0$5 zmPJ{jj&etBd+kJ#RH9*Ouh5~ox?*>At^e`E#rxmg+w}h8-|5}^o7*@4>q1@p z@IPPN{pD`n{Ci8T+7;c>e#y4%>V$c>;H1^ZIhq3*GJJ@?Y*Hg0|CLxc&3b z4?|}Se*S75*h?t&TQ9ZK)J?=z{`|xJ`zHOp1}W!2_2gP zu?Y~suwJ_K@$NePg?H}1-hD`yyN_NqfDkkItG4=8g;`&<##Q^3WuBmr`|t*)c5AkF zOUccR`}z7`w{KFZj!&RaxP5a6mEPBT?5Dgni?^n~ZCz4wg&@M%#xC5CWvr(BYbzed zw+*!ZYj8O6=KcS@y?Jw2YGdmK?plRHC%rmla0?Z-RCet2%l5S4it;TL^S5O<_*~U1 z0atwx>Z+8*N|V;F8VS%&3zV0)VhYWqOr2tQUB?elmmk_G2)opC;+z&QZJE~iK>aE?ggQ^XD<8^GrseA-5FIl-M-fDbjz5TM0St9cDLAlc8R?YYJEua?38&Hy&B&>&aVkaj?VQR-Y4|`)%R1B2ZKuY{ zvJ)Uw8%y0Z#`{P84Rp@Bwn2y8Olr+Il5WjHXi!oyyGyxj zIkjvu^;>`dcAbd-)d^^t*j3bd0FeXfQJG7}-Sl|hKqd1#~U&G5pDvfg$~;8Th0 zJB6{UgC+xL-RVRFGWz7RZGsEy{hf%Lc)ar26`QdWam*Q;i3Y%=6F@%0yVId>q{!4ML6(X0m7F8 zgwF*CUs4$#X9#-cODZaKxFf?RN~n|=h_GMKSNmj1=SJv1y{lqeq8b@kvJ%tJ*Z=4C z&oo6eRUNct)v737%|<4sl(bfRNwIMnzz($ z8EIV78`bscOpbGSaM>EST{xS5p{J~|ubl;-)KU*3VxQhDdQ__j8%=+{z58#V(LgRc zarQ?D)BC$YLzG_nyXkD#NiA>Oe|>oSI+4PAO9?%nl~TNz%^&>x^w)>ZvK{!hJRDm3t2OY;-o6^D2M}wy>-^#M z>m3lG;U7VzQ}_Pn&2O*M9SpsQ7ZkThVxqt+x5bJp6jj}fpSG&^CmXzK3a{)J;;+`g zFY6uSd~O8}cTyWT`Iix*E&pW%stgT!oM5E&&z1uo8o*Ki_~WvF!1(+LI5InBirH(B zVP2Nsf(9fzP#_l3U^^J5fnld;F#SUR)f(7AL+JvW14aR~{iA7ktW@wk-fHY&c-MIe zYf^{zv=pa9i3Sjm_XHwc*{u{9ChHeK54x1Q!13iHj_~$L055Vj3;4GD7WZ&5E5Luj z-Cft_7KDiX)5(;MKn}wx=D=E|6)sba%T(hs?W)lG39c4grdPR4H7-;0;md;nzN#!@ zphuWSGvUXd#ydHkM6@XzV_6ggbBdyC6eZVs{-vR!xG{}qY2#U12ul=`WJ*oF^-(0x z+N^v_mwd}-at4~`h5B&7Bjqg!kHcldcUgG(ca$Bh(OjhS7+R|#)P zaXXZb%NX;gD4~GD@n4Ck)s3)pBP@+`txzXTCRjJ{&7A9Igr%2+HS6k^<8V$`u-2(a z##gQT%7=W;o@;E`h2_AO&0PEN=I?jzEwo%M{o%elV`yq^Wz(luQ^Q@gl_%D2nD@}{0fu3Y|IW3i-RT_`=K6j2?aTDCwdv(Z zMC0`GSA#QlV0z_rTEujEWtm{0e@lTh= zBil6|*{<=(hj*p^wU_|b?8fq3?s*Oa?(Neenr0+&ZDtnei!vH`iY4!Uzj+Uk{8Hxq z7npbK9QuJKO97av(ncxQJ9v*?!%a1Xu1R@U8g=h(+?%`qfM+k>-oC$sVaA(Yu7N@( zP=z+p7U(=yLVKyU$7uGsFC_V1lcS<-Nu=)9y|dEivZ<@K&c2d(~D| zM_RaQE2%qFbJf-;cVBcahemc8yszic;X%_Kg~90>gLj$0rVB3|RmK4ZpF+HyEkuaI z;4=Zh7Yr`_GURzurSu6?ROt#gm`QulO zti(iu$WemG-IWkk*9j&oA^2o%CB!TjHG0+3i<+;5sJ_O%uTonHQ9COklbS_%Eh_dA z)(d<%tc{Gql-h-;WMoHFGO}M(GL*n&9=Mn=7#9;)kIng%7yk=N%(#xz@;{KIEnLAl zGSHT@t7?)mbSLT5cw`HQ5}4p!dVl-+->F=`EbRe{Ay06!%VRr??0(%c(^rP(Z+?I` z(8!jl%l-V)OHKAuDAuT?%<4Rd(o1n^Y`H9>g?g+=8*Bs0^7>R2l*a@p+%mCcvOZqX zKlQ~v5yJqjtcx(lc10LtOA%K1iB0V8spCBtN22W?is3;ON1~u!4C1JBy&Sn-jjXOm zmNp|t+X< zAPiKs)$!fc%&7YT8h)LDc)P*YL{E7fs_7uf1_s?)CdrSB_s!?YrNTi>>25wzI8uU+k}U$aEZs|DT5q z*|FfsuG~5Om!V_ZKe%h)lRZt<0;SQJ&HvGTr0yegA9iq4ycej71_#YsYRtx`H zddfF%-0R82w&w?ixdY(@*VQw90bcOLd8qbyZF8YFOH*yv@r+)Y3sjwl>kn^=cs#Fx z>i>UY6Q>eFC8-5V-Betmz`QwuM(BNLkM>^9uL)LA70|^DqNhQ4`H4vBor384=_SbD z8~AlMr*P(3^D!Xj_?YgGz*AZWV{}-{;q0VwmNh%9cr{7`y5Ml(K1%mdxsSTb1GZlt z6leTR`dF`qniI)TaC^OB}|_hQ33yM0k?-urno z&Q6$dG%7kh?Ze+mtu$RB#9nAd@?Z<{Fz%xTB|zYhb^_rC6vj~g*V5rg7;K_5gxHTU zx&(AGUf%FgwM1>@2edb8p<@Dif4i&d28yryX$K+vb%3W1m`?6-xlgUr{A3u_9RnnS zk_O}HBQ4|Xub0|-Ru-GDC?7j*Rur2oVvn8CC6IKez^Bg;a$PLD=@!EwrsU!9dh-Gg_IK~^?{V|v3>70LVq#U4 z{OE3wF&DB#U>D10TMn+mk=CG0D7)L7p9EeH6{u@jC~&)^xn5hwIF0kMY7-T6#>ZCa zQ&Z2tJxCWPQBUI`02L`|je6Mr=`QX?MdDDnn9BLZhd1w%3%@)6I$gZQ_>&hu*Z-DN zO}Daawn}o2dY9-9@3usb6OE*mXyi%A?)$3}_hDyaY%9g2-wYCDZ$rmCkF8K!;9}t9 zt*}#KnwNtAy573Hhm2yUQ5m}&rAL>EmkYUhIZBK*IeR&g;41=rEBF?4%C7jPy+9f0 z@bq$@D!H6#irWt5?aDgjF$H%^p-idxgS$ONx84@8pxPc|<#K8ObQ0KaY;L*T3bGY+ z$CTjvh=5nT04S`%&Gwl*HEL*&4nJ;H6={2}(KlCmiHIMA1?1+Jd2@cG4w2kzHc$q2u3xLFkJ`!wJrATTBM?^LWt9C zO$w#2c4QR=Uy*^q$mp)Tn!Kq|m_wi`$iPlKWqotHI{jiro*_{qyy7Hyd4pGoU3msA z$>Z`&$STi-JiR}lFu9axd@9fQQF+EYG4Hq18zmQc#wVmK_K~u( zH{Z5A6RYxUzn_EK-yAqt?yk`6RcbqY+gEvZxt8@ez=n@a%x!i#@G3c-n9uY?PbcOR zFpn-Wpnl8MS$Llc#fJBha|WqxF_7u!x~1I$C8lB%#dQxs037sa0zM0zDDNgQ4z}&* zb9>n@O4NfLILyFcU?#4vMwTiI7A5*(FjaA-VF;vb50>_BiNCl!rO>Ng|9Pv`R@X>v zePq6%XcO^T&qRD_!z|@HF1G&&&#O$==ET+s6deUREstwh0bcE2PbjZn!oU0JNVBcx zTMcctRf?@*|6Cy=cwCw~nc$(qQEJD&M(*8e(u85Tno(sF*5w62LDmGc(pzP=O7(Hb ze@-Pc+?N>76^Z=M@`LN-=_ZDu zRDtb)Nh!@%+N~lLygGC#R;N&wL)Xx;RR64CO0{CxVf7VLvIo|@y?uL~-`&2sJGO@o zW@NXd_N`N2)4lr$=j|v{vA&~B59|)C^glvOXWIj{nH}v6wfAiz?{E0TP2@ujoVba6 zpox=re`{3AQ9t@V`&Rea>OC2phujecOr4H}o0^xy-Si{tH$BTlk5G3fgr4ohtjT`f zV&}|54@`AEEVYK_m>%b7>xHes=QT2|!BtLux62k|wiAISdf1iNiCL39zKquRvL2tN z#`v@bR}V)UBDVBAZq4+lF3e)kQ002~S2>8v`hoIxq2Xb#F@}V;DkU}wqYHl=LaOGW zW@AuQZ&j>?QY~7QHEgQ3DQ8h{<=w17-5cyjPuOk<9!62x9)DGX#qh~W2p;eG4%)>K zp2cgx)l0N2ra{Ye5y1wp_k=gotAo*Vd>&NIXVG&UPd~V6SXwbi8;HCQoy!52y%?I? zHS&$?7Wu~YJo2rYtvu3di%u`RaRk6GIwOEHK2MudR0^9QU$(e7q5DN2xsd%rv;aB5D~Aj8&F>>Cg&Ad~FkhCe6#bO=BSotSJ4CC% z<>|w!Ya#aPglLqHQ#-Q;q^w7yu#*g)z0oMFN2C07;zI4yL;#(M(-H-=j9odc5f<(- zq?3YEPVRp#5@t4c57}8WborX4JD)X72D$j9spvsVRA)SpRJq#zc338He8E zl#j%o9d2T3I2VxGvREl}%x2x+?y3b2#rLg`9f0uH0iJ2dO1;Nb9djtIrnIy_t_EN4 zjjO??KMuai*y%j3rUb=}ozW$b!(Q81t-ZNil$KF`BlWWH!U;KQW-B7NS;hnxG zG*DOp{>8Id@oZK+n-$-)Suu-M=O@Rg^PS}Yz7l@UOEBO;-FQ~GU=MeZWH%hBokd!W zU92y5B9X*V;6wpVoCI8tix(@vE!@Us)I)!D6!|+rRV|9?rY*M~t6Aefms^m(9@w*6 zN|C)~|MdV691;zCs!xGBUj3M0Xr0g(H&4;aTKwJ_m^fp04)nBB_SAX2Tv8!uv%)P$ z);Vk8&Mb6yVG%4EeT*@A3D@Aq!Zl`$*>(|@K{1{A&ObU+O5E?*ObM@<1tPA5C=OAH zbw5wg%XvlIvm8To#EEe^qGz5J>at&8$c-41dEkx*Zimd{a!OVd=wuRMBd%UeLtxOL z*_k=C!9|%ZaWuF_kWLnh;2LasCAfx{r$6C-#K|pVK9eD^rtJ|?QVR5|SBFAu@bybn z3HwbuRkpI^;ELh$`C5DiFS!%BJUPS$V2<1lyQpuuZk+%Zry7 zrLigARidT%fnb{!Vq`0LEzW2yb{n47Xd?_mY9T>#E!IZyWvopDOdX8b zo(AK17yeic7?|hW+7~}CZo~I<rF ztFc^{7Ta_1;a|t=YWbklO=I|2e=#PN8K2Z@rHxW=>;)Gf`m0IWnaMM7x+wjW)H9Th zxo57aJknGHa=j(FJZ4&9{MYPdjnp#_6sc#Hk$Sp5KDgbu=zVXTo~h8DwAHx3&Glfv zeW}(CLiej1wi%7uay>y1+dJL+Vf)n$ z$r_C7c^VpcgYQqf|Bo*Zq+zJ#_7PT{^aE)b#*_@EUk{T$WMaV4?2Sw~unSaA!uOmC zr^MGxYW!L{ooxsWRH25cRqg3IMHbkG&sOYCkvg_AH>0Mt`ESbS{%!B&2x^w6)k?8t zx|B(=+nLs4lMS@~U|-G^pw*9{R6l}l{K$sX1&8+R*e=aA@LD6wd<@O~06+BLTHT(v zt?eIATJJktXvD>*0fV8OhpU&U&Y!T{8LO16e*foFVbl9yYnc2;3sF4^RvCeQkm;Kw z*FT0h-Liz#z1vUfb^q2JOw30Z+D8T~#Ox`XbFBu#1vOR^cE~+Iiive8CTC#Bcgp$p z>t+0Cy^SVEby!xf){5=Puwf@_d@zbT{~X^tz_O z=e%Et9(=AIAozUnZA1?~SDzMq&U^5==)vdeL4wbDzYt??(4Os6V;p%qXTbZBg0{F> zolV|JnALFbiF;QT$a=ET;X=*ayHaNUouyW}gg8`O^O}*C51C7ci}@#;YMr66(dR8& zuv@YCnqGM{MRMxqAh3y}3hczg_49N1Po%&^T|=tk8W+hM<={zy;Y(-Zv`!vRj|kx7t5eSw)#rWj zp#~>a`Mw+7yJpMJ>$}4n?#sew^;EU&c^wpXKIFPR_=wK!?Y^UGGy*cUEn{K26FDIiM^EwVi+W_HB9-ACFz{3uF5d;r&~9EIzvbkPwjP zAuZMZH%EBq2d_UWpYP`Lz8Bp+#)!@WV_4ySOmaC7q9v)ERr|4-`MjYl8Tor1%45r; zCnT`Pl0*05+8r5mCVfrn?=A`LMp&~~`)ic9rzNY{=cCTDR;)OGJEQ&a`01Bjj=H9k zu!6LVi>jS1la-M%g(EA)wJE8Ow5B8)e`aK>jzv>@E`1x)(g*YY%Ke}gsGN7^q0UT>^9Z;!OGo0%~ z3?R$$qrCs}qtq*%o-3So>fhgXJX`G?PHpp~nWpko<(zV)S(%g0z_cyaSA2%ZJO zvmkgD1V2AZf@ewaED4?^!9Gc_H4?;tIZX_dpt{A$Q>LLda^kTzdhy2cX3p{e$JVUy zJBI$5!s+HzPKPQ3j~l)0<)3DpPjTH4$!wlclD-+-VB8iPh(NMt8vRr zFAmp(eAp{zG|HJ{r_=igc2Br7yFRFWIIvyLn1uuY= z)`RvydRpaEIXiy$YS#2jpwTYSs9iQ&6NBjfM)fDH$g;){B*T%o_Y^QuT25x{{`23OAjO@#d}uHFxAEhu71@ouA9tT4iw4>zYkSwGp*4fTWb)-Tto6Dw^=dn7tt^Bg$81JLM)bn? zO}X(yb3Jv_&T`dL9CMmfp0lJ}3?$N^|szC|ckXG`K&q=(F#7&khb zBT2wMC*;ECJRDkW;p^;22Z6h+yDh# z7_!lJqr^t>jba-`H;Qbe-AJ>MdLvb7C3#J(6Wk{1sPTzwCyW;i$V4#!{6e#hrW;K* z3feLor8i1#lswih$uK9}5g$^Lk!u#UrYdJ^w6Zbt3oSQVY&5@D>xr3UgBK|&sYnb~ z!h{)_qYfca;1q0KeL@F}!o;&gwdaCK3M9&bWd!pM{`a(kuRoy!0cv@+ph-v| zJr^VaCek1%+$WEKrx<~;fvYsg87)GNl7-B5BszvjO9$rD`tUpkkXOkPpx;0uwV9D5 zauk}wl!pszHdb$}+E}@m>o@{OT@qbMFgGL&nOc17HQya0hg3CJ!2!i#|PB2bP%IRfPf zlp|1%pj-jLXh)`UDi{kQBWGZPsH9IMB@dGy@pImiUQm#X6htFM*@(gsr6Y>R2L?nL zA2rRIkN}D!G6f<6m(S=i{~tI#R>6|2*#N$Tt=7^2iEkmn|W*aQ|bOaB}V69osn1spW*~=(hpc*{@LFyRgS3gcL>Jm5tiRlDBfB}n|Fb1|f zxE9*^OzSw+H!)UeG=LRZl)-~L0p3amBSC^m3+|Y*O__o5OTqf3VE$6De<>Ki-wFb< z0X8L3fWF8sWD>Ho))|*AGr{WA5Wv1^Bp?T8s=$YrS%CUaByt!Z;ZlJ3vZ5OO;2lwL zk0|&@RN;CEG_DXi&^S0r-zsuI$RUp~@1yf3XpO1hy&{_W=z}v2InWq5loWhP3eF@& z837*U_lmR_qrx0_S}7~MBhi4R42Hc2;8|2vSAeHW4YaSJeT{2u`WcT)yFx~uiI$v3 z5KS>~Z=?_s>CO@v-GE2LA=zjr&oK&0UCWr6W;%I^dWP#>3DEDNY;!3H2D;9O&2!JI|4x9+l5+yU2G8!tq zXEv~Gv(Z^9a1$=5g~}ERTl(36)LKc!LGVYTO_tH(x;t9D+G-W4EG%fD9V?z3HV2lQ z0~iz_k{Ls@b4qA{6HRna+G?Fe#6iOr8n)`Q0m}`ITqy5+AT&qqSdLbL;RzJU0u#6( z%b+g9x?c#)+BpHbOZhB_G*LJiXwKS;n61`Q9)p2e<^d|jIxSkupEKhB{7D8hK-7Q zMqn^3u8oBe{4aIbSzGyKx3iy5VJp2ohvQu7kzu``hpA5>64QCY*V1GkD3 zaQJ-HkI>JTs9TIQL^01zB9iNjUIA5+NuWb+8MPN2fZ+(tLoc^bux-IXjvCxvlDx`b z1X2#K08fB{?t2lQtwEsI|afBu~7Xg1%RwiX}*H{?Az&DfVOu|iq@%Yg9*BHtkZQxgZabvK_ag@kRDB>j5 zi6n4*CGOiY3C!O2)EMX}rtp^**~^stBF7W6%qCInd1v`By+WWeDfokOD33Ts6GA!A*$m;rfIy50 zWafo+Iq{Ie6mn8n5^ab`rvM`O$CAeBp6J&ypV^1VtjHiAK&6A(si@8r9A~JEzJHxh z_0^3Fe1DArHDIe4>YW$F0VvWL0~Eq6spHaL<=D8h*<`A`6f8Jvxl@4%3r2v`#Kgvf z=Bpi_jhZlUKEPj*9*n%G0*FkW1sB3-W~<=<&J5ESU`mRU!j%202c3hmNx{rU>9UTI zU^JZpZJ0p^`k33G**7(4Eu8n+xvUs?C0SeWMN&l11bk9(%RX_?U%$%H%vg|IMsUhO zzNiu6BZwM0K96L}GNH$3cMle8!T5dH9#76Kc6gPE;n;HBAAPrzlLv1u_ zH4IooGw8^ELkLkh3YozN_25+ji2yRdya%_+aIhvLo$U)fxs?k7Itoy&%K9K=ltFUv z_8j*?hbY$fg`OHn=A!4y(?~|WwviN&fB_OQP|W}-7$5_~pPv4M zPu_s9Ors?k*E&-6NoMfrqVuk7VsWU?EdH|M&v8P(82B-48DPatZ<1&NFNg*uZ1Ti{ zT$l75_&Fh;&wrCVXX$O0j^GAT;#3OaiRVFanpoe@$8oI1MKD}1v@i!q@Ron|Vkq#a z1sG^jXqzw1n>f4_18@V~;eY;1r$(0UJnLMhK8kgeDBZlNiIsH-`o}HfZrzd{IIT z%#mn}j!AGWg!j%lDB@CfIoSwN?>3+>KKg`Kl;1H57;Fh&$l}~ zeXc#2T_J(#92jTXr8EX3wxA6T@C>*?_`eZDnsOdNUuQ*uN}R!*5mGp#q7#9DQC8># zVf{+%Q1Ax`BT`A5y-R>`XTbL%R46VDGx1Z#^Equ%?!h;(Wz{Z;jHwtR=z|2lj|AU` z+VydLKm4o>_bK8LJuuM;CL>{#ve)EjV6GD(T#2!MwO zg5OiHog8>9;HwKsHv(5sG5rvS0bo|6lGX?YiiwRdvk`|0XBIP=a0W#g6onp8Ofosk z(?h^8OTqBWrI(5XaHOf?+F0ua*s`ju)o_7-&@84t!rVu^j{RXkz|bqq5aod^f%<6V zMkPQ4SV_*{_I(8bb2mX{!515 z%lC*H<8zc=f!>J*)A2b$LRQj5u-zh$O`>Bv2J=%wTVT(E6#353q%diS5XKX&R4QkE zIL0fxL`90$6*LJjy#>Kcp3ptGJ>aXuA9M}w5C?aNgWJt9UIARqXOt#9sHQ+rapOIn zKmi<+=!j?8Tgfx-W(#m|1UNVX92@}-4v4X5ET3m1e9EEZe%26msF{w0^qfm}OIf4|ccLI!IBA|=FGKK^YCOjrkpdygO zGR!iqbE2N-qvu4vF6}U!WoSwGn3Jaqr{ZFH$m-Unmo&z zr;s(t3&+Z7XG=6AF)DDg4dc#XPE=Rtg+0&96VHo?0(>cwv%!x=P?L>HjCo-=MnPCs z=LOowPdz+KrF%*xsYR=}+I#i_|H`1o6^QYMci_ zlcP;MMdO1M1=CVKWBXy&W{8uS`DCmo*$XS8q#_e9*OCGhu3_hB(oC%SJ3vhPvJ5)V(LbB({ z`3#ezoG>DQz3Ebfd5|`PMs_yg?jLA{J~{k(az4Z47(CqPb4-9Z22KJYHiQJ8Tgr+V zQ&MOM80)jzelRDQ2K+ir!i8vwhm~bg&L|Hv16EUW#sKnXj6W2{V~#RA?~K%#(N=55 zy*Dls9sp=9ngCJ@ls^lhrxHRbO7MSOh)iUfFqMz8jPNM%RJ@Vhw$jfN^tl$0v_q+t za0@L9;f?3`8ATr=6?jOzO^|t>pwFeor7#&-$Vje1gImB&GWelI=@clL;fn-9(Q%jO zS*<^0j85{|5}kzs-%v5hgM$e(+C==;AFX?AFdCsI>)-0xxO&)Guz}c&IXwv;>owYe ztO9>SdaE#V8ml2dFf;)}6F9V|2Qh(4vl2)pg(#`>(IjQFrPO=;U~vNxcwL##3@UY& zs-W-)9)1MR2jK!2G3x9Cvtc-DFOZHNCk)$gJn!ZrB?do-Of7yHnn(ae1+WoD2*_u^ zPj+}zLIPNciV(oWB#A<|F`5`N@gsDfWA?y$VmU}nLIx2OfC+RY&UuzBO+wNUI`KI< zHVLN%ez+T^nRsW7uq@-JBMmngXg@$nH($=F21+9V)oKWcStDX{P9+dCCc(6W*~&(! z`4=D+eF6?O7{r&O@De|XE(3$>;3VgM!pH1cCq4YGh?Ri?2ZGBf8K{27lJ^$BO$k#$ za*<&I4=p~bB*jH)=sNf$C4QRSipVIXK)4{^iKcTXK8G}QOiG$z&J!-*YA~Z1%?gw@ zke^Xp%_00O`p{Djb{>A0QF^01u47_eb|0-%?HKb2;pdd9%t!_`t>D>FW&uFJC-?=) zfgW{nL33Y{WDV9>;1b_`7K{k@8_*#JB7`wjNAXuXU83$KaGz%2BZTLGKEf zG67R|LR k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-01/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-01/why3session.xml new file mode 100644 index 0000000..932249f --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-01/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-01/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-01/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..755081dab1a86e66a9e1798054c9908ebdfd375c GIT binary patch literal 3427 zcmV-p4V>~HiwFP!00000|J_{g20|edo88 zsdq2i?c;X;Wz)j0e>=SRhbWakZo4_29#8vkepgWfB6R+bM7bD$J{^uQ43z6Y?{UA5U(1r+ z{8s-w)% zR(v&Bjmk|mSQs5FOb-^u(896}(jM6jnn-NJ$@94B`kQ||ZvO2%JV}w1HR^syW+e){ zm4n?%B!pH9dhrJ^3x$?oFl3+-u_qr*N!%=x%}>7k2FBE;v4nWU`A z$SsV(nu@9AWw*$)Q1z>n8L$|XH4H@;K`ucGX0eHzf^`f*CD4GmJoYNoZ0A8!6%!Sc zv0GjM40Z`g7-)}Wq+;wGsTi9g6}kK;CJVzao(jU=xMAQ+8I-*CN?A&s2ZZ&wc z9z53!j%y2x91=KEI69><7>vCejF~5)M%^jSA|7P#7K3+-5jF;>mnAw<`Tqt3G&l4Z z2CjfVczuD|5ORC?r!2UA2mp+Z=S)HX49~{^K%GIc2miDOpJhOm4_b|%8F8XY%9$Hf z2N?9GGYs(&u;N&Ofi?jFx69l>RJ0jwILHig zLK>fY;2-A+oiUs5>Jwlu!qljv{sLQ%Vql((_`H0}q=)_bEN*CG4X`fB!# zQgJ8q2}}j*Ns|=2BOZlT>Sh<#-@(ti*&h!3 zAHMquFlH3yH008}(m+$z>&>p-R*HQbPl10xN--owF^xRFG)MpYi{G{WqUYqg!hjXxjQ}B3 zPUh7zH-hhrJ{=LV61);(3=o*U0h7Yj#p_zg-6mYudAx*fHpy1PSnL{Q*w_)|jpKYe&hvP_kYX(oby6@&`ha8|e~GmDVn$A* z`vz8;y3O&Q`_1l@sNh}vrY}H*E4LaV*r^`>n@kD#uY4jR>CS`V-BY&Hs;EZ912!NaVu7+1`MLS#31+@vh)?E5!fP!-(_<-l*!IMy6zQVKR-V+%r6zj8@#n%2fZ3lETXP@#NAr!V>(JIreH4 zAwHvw(kt9SOr&TmgHjA-u{cU4>TA_k>9g#7DlG3ym(MT9uQ?~09ziK^aUSPKa2gJQ z<-$2L%iI_p0n?)hqjQ8|(+Hz;ZJ1?3qaZY0ahnT78W+dH@kDtnC*U-e%R>oC<;t=O zo3pE8D>83IW(hED`5Z#$ZK_m$4kvrthv1=+ONTf;Ri-D>h$Ic8sY0D<+kqYrKj>

?M*h6ak%7A+1Zynh9V#3dECiwwD4>ti*y!VkJ#iduTD5ICv@Xp+4 zqcUu1IenFdDbs6;xKzPrtMZvbmd_Nb$gaUE%K~z+Qyc9)ctFvO9dR)GD$5O;>&7G> zuuTPIaF1UjSm%d08~pYjSjMvr$MuMjHn(Uzves`4veA``%*DC34z+vwD@ zbmpi`z>tTEM0~|clS6@es9NXpOVLX)HBNUIyNpHbq5Q<`P}O7=PxX!1f~nIo2D)CT z%BWE0PK6mPW8g@v$lxtLRKelKIIA-bI>V9%=d<*SR5au_pA`DK2s59q z7B=WiR#l!%XtytiLn1%iN?tv_RlPm>d^qvxrB^KDS+VJ51;bbfJ)5)+FN1dz{! zT#ZUS%hPIkAIqC?@=}zQxdbVpwd`8~)@1ocA;f@_tdcxGRLNdwi4Plc_Ov801+uwJ zC(LSeMgoHn3}3VcVcHnV#H_UmSy+P*p#qw%VKuP^Bmy%MV29oESFE8D3~Rz68y)^` zCv=<`{L1IBFd=j%r7hqta2~D0ehcX&E6}8QFHNf<%DViilPk zWxCdDCe=a^$F1YWaqYNrTsjV-bH|zE)N$gNb<8-X9aD~haKbSTgsor0{viPuo$`zm z3OtnNtudT6jI0-mIBA_UPHHD%ThdA4BzKZINu4B4SSO4V+6m=^bV4}6onTJTUI#`R zqFBR?Cz9*6UW<;Zj!7yhw~X3_VouTjkqK>#Y1%dMo~%30SliVAU$lk2HOlz)LTjg$ z)6!|-G_PMe+t6KhJCZ@l+)tAtQq3QH-N6W2BKY+ k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-02/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-02/why3session.xml new file mode 100644 index 0000000..d9afd0b --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-02/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-02/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-02/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..9c7cd2fb19c920b2e0f1212d5c2978b207e0b403 GIT binary patch literal 3529 zcmV;)4L0&0iwFP!00000|J_HSUlCwk3i?K-9J6OochR@S3HRzDuE*0KmKF?)YmV&ABXxGm2RCnDWe%tJ0GH(Tf{c=}P+7iEH2do~S z5B>LgyWf9%d7jEpZ#TPdeYf2lPmiblw|-Yq0wQ$%ACYo4{(L$dVHhaap5Ehr9ln-1 zyZNpDmu!MYe)i36zx#6f3Tt-#VP^Iq!*KRL)`8Rc@q*n=j+e#bWq7=7?s&mu^5f+X zgB@KtUYQ?@$d6az@v6yqalGon@ru>xK6*7+v>7ehrlthFpe=ai#RJ00l;Y-~x9*>w zPyebYYe9o|xVfRrZ|iu9+Q8lOVGPy>2G%bN+od)P)1chLrrw=?f?n7d{H&;1L2H<7 zhRNrBxWWMEPk7Fs;G8Q8VvC9bOTEHzT~W1)`lQN>G1Wd*fm;3B%k#D;VG$fj+93@+ zB2(^UDxVohwgp7a%?gk$0MgJAP>Z5j(K)k9mKe>7#q(iT%_^6;;<;G~G^>f(@xrX+ z1+(I-(P~s`s?oyeXkmJ^FoqVEY>*DfZqP(R8%~~wP1oQ0$K&STeTOG0qOvC457Ded zX18**TZx3wN50zC(KGVnu}bTrm@s zRgB!i2&}1?T3&XGGz(R~ikSfmL0Q94a1rFlQrp8zY4Wf*895OBLp4Mato(1wG| zASa~psR#aX9?==I`K~?z_99G8I_fX5^&kf3$%xO(w@iAt5C7_vHN!qMgn#X`Z>_Ip z-#B$y|9sa{m-6V*d6f5w_-QDu>KBy*3JHK z*#GFep8#VfVNOFX%_|KwWxd|)>TRXi$LSRK2c#53QWVq3<4bewe}CzBZGTaA=xNI?iL3?3Q}wcjYa87nM$d&5BYI4BhO3X%|o5Xs*gAT*`N5B z1W@8ESb;f9eJM;!;LTx1SO?5RymLOj>=1qDSA6`GE9GlncTv;m`p6MwW0wz5no8PA zksw~!x)ifVCnYB|;X<+$k)QX^kLv^A+Rc3g2tgA-WSB5wg?J-C z2$hm~wM-4~`(j8(gscRwgqQ*Zrf?u92s-9$YIfJ>&*MfoyipP&h-( zm2dWS52PXRUE8bAkXI3JGp{#;*PGJocl{qH@AU?~-pqNumX#JBsKbslpL)IKxO65% zMX&eR#|E$0=P9c9X?4l#mGXf2Ij#d{>@}~)6;rQ=`~Y1e^LmA_&98WU#5xpWaSH=AfHek^oNGHmSd@`iCrV!2zl$j;ArW%$`%O$r?@yCxW8kzZ^IA-a zL5Q8lCAcUUj7zW4NYi6(Ys{*UqcS#+umel%2m1EaXfQ0nT-ZlIV@ob?B~dPW7w@|) z)V%4PAn>??iG%teD883=TKY!%gZOWM=6GHFQ9tj|CzU3a;JHLYOLvl3Po8&f!qu`yMKRgQqTBoGFfpODpSKdN(?L0$CFFj@JsMprr4`d zgz$_qNw07RA(5h?3`#MSh2kicsIS#frBAZ+QdmBeE}vhHUsFz09ziZ}b{^+Pa2gMR zrNTKg%hZ@00n?KRqf>-oWrWeGHp~*CNf0Vm+@=DN#>Jsj8}j)|{zem6SV&S+D?ie+xa@`@G9!iwKxf#I$m zR~4=n9Kk1<4=2Dku*Krij}>j1y&$$EJH}Yo9)wUiXwbpslCT9@2jUu9uRc})?QD%fn5KU2v3nL=gRHCSa{K=yWOgS~qX$hxs33?^S?sX8-cLOXu@Aod+(s)=^dgY5`JeXut`(HewlLnsro)+S_T4MO+|XtIV?VGT$GW<K@$ydUQ|j+x{*S?br8wdI&54GiOVmerV%D^YzU9@P}!tl4-si=gaf?;~%MRb~iU|-w@VW-LwW`SR)i~>st4E-CMz1*)D|R zjydYc&DvPoH9c+m7EFaIE_K^AjZ!sjWv!Y8rH&G3opIVJC*v||I@=ga%~}vD*KFN& zb=x*n3d0SfV!@bW)G^|yb<{Yj9aWA>M}?!@(LkkTglJ`C+qDXm&1*$OD~&Q;+iND( zLJ-HTJIHny_j)8E(F%E=nzlQz84N7#XXPi*rp)_xe z;jCd~y->tS>!fi~I|!Fwzjk8g6^&Ws9h-L6#XBW(8idiU6Z~i>y9(lb~VHw+QQx%W%~6(Yp0dd(rMu| zcbYj(ohD9Mr;JnD>q;r7q*KCcN%8C$6)3~1t|pyiprn4S8ZCi?v90M$Zx)6-! z1RNun0dd+oZ3YrdtSMoA)AxPdDj`%ag{2hCiR+s6Y+8x;; zJIlNgS?VnDWDO7>$%?+`n%XrOw-&T%)*8~ux@L;5J1{Ho4gwPijnn@Fj5LK^xGn$y DcRA-f literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-03.mlcfg b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-03.mlcfg new file mode 100644 index 0000000..cc2d105 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-03.mlcfg @@ -0,0 +1,5622 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"../../../../creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-03/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-03/why3session.xml new file mode 100644 index 0000000..d17e3cf --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-03/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-03/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-03/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..50f961f8ac54816fbe626f5ea6a484d4f14d82df GIT binary patch literal 3537 zcmV;?4KDH@iwFP!00000|J_X?~ipJMFVY#vo)9bXlT`pf<7__f~m$JzJ(a9r=Uf1jz@{a^1+ zzt`*S_lhiHi&iu>S;ZE2^+SE^PyYXkSE5pttaR1`U%q#VMD!g0QS(4Z#(%{;P~-Do z>j#)E7kAa;Y_&Vgp6mS+(0OWi&(ANXKJw)iPg@X`z%4vJ{bTps*Du>2hk6f81L@&= z85u4;0|~Q#-EDhZ`24N@zV3g(zQe9q{9Fb`YHUOt1LC3KM5p6cRA5YJ_uHRIq z-o9)$Pn+GBbqlBd?eNks!>-I?4xH>{d9qUSZ!1b*3tj(5q@0cKPlqE61LfM&d)lqS*F0x; z`KbRTn;?;&eRI=qzns3pnr(l$Fnid;p!*-I!0BAQV0RPsvZ!8$>SdSI3nr7RmoEo9 zx}jc~t3~AMm8f1d886hUuBcZmM)%Q+!J^G*(Kaph-^Nt>R0V4FZ!h~zPr@QlNjf17Jt7nC zWGcTfkZcQxoSPLOTL7e?BcK*Vv!a*GDp_JQD;D*`ZkkoTz|&U836x-hkcgEDgFpp0C1P)34-nu?3e!MLc8>+P3Kf7)#;HuY2P0m#pocpazs zADE;?ui)G}P{o=5s^Q<3z=S9xz-Qk>KV@7vIKiPm?l#|hY(F49bg?2re6E;@!YW4Y zVFcDxOwF&mMVf`8U&PFSg`liqD7Xl6@w;Fan|LT##}HIJ4VcSAuR_UoJxHozqGB?1 z%PWAvt|18n>9K@VjGZGDV=~c| z8bJjB1}Y?ier$2~74y(FxQRMp7pHZCAwB_C9Lq4!Mj+sJo*IaXHlYoNJ;OdB zjZZ!Bhx3Ten9Xq&yp&|ThpM7h6GyBG= z^ZMt9mcmr9z=8(Icj!qR>krW1f}nu9c_VcKQ-OMvB*pH4N4^!i*_HJV@ORzp4u{>3 zzWWIY>F(gGXjXb_I$Nu-1e%tm}_pZDLymCI^ zHS8aDLFN%zeJgg0>>78E1F#EH90-j?=}MVOsdNtcaWo^(OXAH#oyV$=H~`t7_?R}J z#96QcbC&vAn3lks!;G*Fn2C7je0td;`d(h~@l!68uYKJ`Nu%o{N8B5`u0UxjX)8s- z_QKJnxTr!YFiF;xR3F1Or8>Kw;yfHKc9tUYez$*G9RSzv9wR^qngAlhgb^#m8v#P7 zl+3GnYIxrlLpma4C3q#o6d*8t116cPi^VecML{Z|&wY_&@6Yh}Yj!F~^g~g2xu<-= z%Q^M}pk|d!Rz&Tit2q@UGsXSJRp9K>wp=1&FgW+)axNXK-b8;ULkDr8(tr=&W7zpz~dKj zn+MqQco?xsUUGT>qr&Oq#uUF*uF6rNsoQVYONw+_Q@mAD)Un3)4~bP>D+7kmK!&W_K!Tvx^iX*+q)cJl_qs zDxa&pY}fv}&ch{iy^glx$3oX6!^RH3-!RV0ah}H0g%oR%D3gp)lm{g1_>YK(&t{}F zdT3y!saqfaxm#~fkqX|$?}h?|zjCWFLf-qYc&*VzNQ4~xaUGM=$I~R*7|>Q_UW+L) z2(k0H1Q!K^ap^T0X?o0Ujad}?sEo}c?7$NHfxdk;8VpM?7xod**pkazNtDap#rq)( zHE((+2t00J;vhZH3`bG*L&Q9kdH_i!MeQ zSe$1Jn_)Wj`AM8khSxT<9TSYPv>j8}j)|{z{xmw-&S+D?ie+xa@`e@5!iwKxf#I$m zR~4=n9Kk1<%M;)m*kW<%$BMShUJzT7sWH~IhfSy)H0a=RX|o!89xywOt`wI3^2!@G zZ%MvynxAnE8_)4^fYk7n0QJUi9oY0@!q09d=>b8HHvyBq_mM2cr8loAlb2Qh&OBtJ z(jRGFzRJRs@|q&9Rj}D2f2NT6Glj~sYp}|^fb8wm27C7&kac567)-v(QiGsM`pQ(vTW ziAn*6+*c&RD^{HB3)ExPI+b6tUW%!4yt~+WC}NN0CuYa0CaZX?Z-f?1Ez20_dcG>7 ze3?5IX0VKbBcURLw|HL#ha2NXnQ@RAmNYoONIy$OeICPELdb#>Lr(alFw{ku`E;|e zK`&%gxn_L3eK{N=`SDirs`?i7=GZ6Ygr}E5u#6|c#+MZgV?Ok(<2t+yJ{0^fR)SJB zD)!7zi}_1W2APMBxUHPciJrv~OEF{dT-SMz6*F&}@Ry58R1wS7ZaXLZvWh+mCRysc~9 z>s408LQsp3+%UDGI4(^l51nNjK}an>29opLfRqo%Ws zvDB;tp>oAmU01hlL!~g>Fe+w@IYu2Lj#@{JquNpBsB}~~${h_nXc_MlWHc24b2CJHecw zgA9x`M6rgOo=C1&dL=rlIwq;4+%jrsiaAC9M<%o}rfFBC@5!p;jI~`2v4^&BwnmwL zHPhN@<+OBKIL)1APE)6eQ`RZtl=iYx$|>oT@KRDdQ=8!NiIZ);E3M*R2vl^-@?$!JN3RSM6u@oZ;$#gsO-6E!tTu(obN4}>*B3n_IEWMLwqar%D% L8$=g)v@QSuiHYh7 literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-04.mlcfg b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-04.mlcfg new file mode 100644 index 0000000..2789806 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-04.mlcfg @@ -0,0 +1,5658 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"../../../../creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-04/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-04/why3session.xml new file mode 100644 index 0000000..b1238b4 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-04/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-04/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-04/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..364a7cfa15c1154584cbdaa757c04734dc2e9aaf GIT binary patch literal 3564 zcmV*6~%bsK4CLj$iA&KhD1U!*RXa{(Yuq_kX=R z{a&xP-z&06En3msWEET7)erU2pThqYuSBIPS?Qt&zC!O3iRd~0qvny2O#g~`q{ipJ z)(zD11L%j#4k#zsP zObnNSfrQz=?zSEmK7Xsful*0$cia_ApUcQdE$(1R-R`z0=s4COqRnRakk)Z_j~Ad|6>(7ovRn@Zlqq8)XPx4?2>xHWJ>k&Wp76} z)GJH1h*G^0)vHG16ZNVq>J^K@ee|NYXfs%}%}oh%L0bsIOA5ltl;Yu_xAxEb)4wXp zT9Dua9mWh}e@=QxZ4xWb@Od$VHXlm52nrUy z4329HiyRU-QaC!LF&K=!8;qH!O^v!!oJBmy-Yo|279(s7P%le#r1Jj_254^RF$~-Q zfAIPOwISs8@K0HA`w##a9nYDB02sa;0|0df!5;kc4t$mYRX#{HerCjpA}MFCQ5;~< ze@l&)mQsn!3#pWAlO$M9u2>&J!qG(k!GkN7_XeiWZEXU8vOD5N7))@>Nou5?9vYw# zRRCb1Vj>vE7I%-)7ZQ+u_)vnIs55qPT4xyIBVfg`0t0OV0&eHIfv9LR+Hlx2>=V-X z+yj3&Pw0%_Udl9Ba9rYJDdfW!)$%xPMw@g|-#y@q=n&BK8!oLpLx7IhaZ=5=> ze|~5wOa%*^&;a@NJ(*+u0s31I6i_#Bq)uQeP*0Mi*d6gGv{E;_vi<@7uAANAu>0Y= zp8#VrJKD$MF>S1Edr~QWVq3<4be&zrXlx>#y!z1rK=Te88*U zKkS0c6S9U@>K4T{?j8qV7i4lEG!~^RWh$leIpoK|i~=u-HxG3lt3KiYWPjpg-hdKk z!3xY->T6+I0&fm8;yPd^(w+0^WsB&0dBw+1rBJ^5x=WHq*GG=HH+Eft(p1t`ip1^3 zqf2p7g;HRWtShNL#%)S!An{%LgpT)TTr03m1whyoJ^tPpPm2%&N^ zujaWCd|&kGh>(@wl@Mcq!1N866s|57%hDGGsf0fFMUK5c!{4vjsUXP@#l*`4fr{CdT zU?1zfUZ1C^!Kc+VuU9Gn;^(vun6cNq9#@RL9`XZpjl$~{!ZyF*^$F{2++G4aei65M zguQ@=37h04rw1^aIDOif;B_DjAv~ zI}DfhAObqdAI&5+gwe~Xp;-*q2CN?C^qsdkp?dEvzfbr_dAv-S^N`1fo=bVWo~Gn^ zX)GFy^LQk3DUZ*KKIB@%G>kAO!%B_Y7c^|&gwMI`uBIMwY>y(r}o<`BefVL|0T1-hn zh@HnJxF{HmORv$$(^GD1%wn>S%Gff(_AId<=-XGLLB9lZ;Sd3hopO0AiRrR;@qQ>m z&70l{B99xG*ozN>;(KZ5rEjF)Z~yJj9ItPGkk5N0`Tl(jZ2tV+plAR260aCS`V-BY&Hs;EZ912!NaVu7+1`MLS#31+@vh)?E5!fPazuIrZ&dY9BU7@uFquYF?irpGR(CbhErKUG86wUvo}0RYAGoLLcWUI1Nf* zxp2&q)=n3YxkQ_C1}vz#AoLng`{pFQ6 zZr+k|-?TjA8a7_yV-KnED+B6{-#W1I#e|>TO!5PQ9&Q4rc<&=cic4=^QARJT;hnk9 zMrAnCeEKR2Q>NDxajk;Q7UeUAET1V0!PIFP16?mv zWmG70r@{=DF>oYSWbhUrs^D;AyeKmcGQ*Mv=NIW0sc6V!ILin*;lz*=J}LBd5oSK! zENsvVSyic-&~9H2heUq3mAtCHMZG!ttep7t(hHXHEZFq2f?+I#o^@J>m%)b#|BIEN zT#ZUS^V4Gf7|WZWc`3@uT!NI)n)j^$YqET!5MsbdR!N>8s${=ui4Pm{qP8S31+uwJ zC(L4`BY{B(hOb(KFl`KF;-a+)Sy+P*p#qw%VKK1=Bmy%MV29K4SFE8D3~Rz68y$W( z@<$9pEziGU6O+ItlN3QFDRN3)3AGsIIFgk)4t(`Nvz=y7GG;LY!)aC{vCJt!6*M!X z@t`F`GGa(>F(ea)WXcdrw4hvJ6GLGuLBlGe;34X6mQ;yI?3&#Xii91}LL1AafB*^Ck05m8<|5e$(I+1E%7HD1@qBGkQW!h_Uwr!T370)`MY4AUuZw4m)Y?Ck$xu= z>e}%)Aes5_1J(8R?ymI>VV%`YYao6#Lh-h)wbv_e1#e|L6OKFPs3UhPV{O-X+V~c- zZK}A`ZPzqP)wGqhYG#x=N}P4ZX{Ve_%c$vWV=Of*L8x4@RoB&R+fXSCH;jrIV~$bB zh@;j~U=raojp?9M_I3$ED-2 zb?!KGoH|Y%vyK_Zv}4LK*qm^T17Yh|aDKQwiB5UO2?ZWX^VS&78b($#MVz!w8Yi`r za4hMhaFRR8oTN??C#)033GIY(LOLOw;7%|nXfFdJ4N zDW{}UB1lQ`LX8T9VO3X?PBIXZU#Uh*;9zWPI^)gEaA%k^G>`x_f*BB}t<$C_!NiIZ z<{R&Q-6|oJm%>sC<^+zzJewKmjJQdnV~VxfHmbFa)}3s4*Vf7g8*Dn$)H9= k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-05/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-05/why3session.xml new file mode 100644 index 0000000..3cf0868 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-05/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-05/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-05/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..e23ce626891c0c8f4886d524c401f234860a8123 GIT binary patch literal 3554 zcmV<84IT0yiwFP!00000|J_|q`@JHI*rF9pO;)kRUHwoW`;-5_;+3dWB`clvz?bh`A`v~uUuqr*$@p8$12sPX zwSIuva&cEZ&Q`m_?77}Q0iCCI_x${F>LXuX@g#z%1d8zZ^pD+hU%zaB9O^wV4Wx(f zWn{SY3?$6{b+_$t;q$lp`?~)DatEnc{9Fb`YHUOt1LC3KM6>T=VA5YJ_uHRIq z-o9)$Pn+GBbql-x?eNksgH&cQ2Tpb}z63&b*B#=w%|0gc79iL!4;7^?@k_SA>S=%I zzt@}H?%T_LDnq?lZ@=~3W_>(8op#^)ZAA%)(Di>r%Gvn-bU4B=P_8|_r`;-i&2x5_ zxB6eQ2^#s?H#hzE%jqku+4hGEvj-W5v;VOQoX(FI>~3w04L;!JhAzLY<0)zbch840SRWWzzbtH*+AvImau4fzd-@4_VPo*KqGkcDVX_$} zpZDPk1DrqMIe&t4t|*8tDhe$10>^bl)gtPXDlf)V`&0#L^=~ixO;5riIFhtO8hS*g z+{sjaVIbKS5IHw1K(+u#Lq|X@ie^PGnN_mHXjUwq54&krxx^LE%}StIP0WrLW+ktf z6<>^2qf%3i7Dh)4)1!qkw6J7@bU=24CKB3k@;q$1{?ki6Da8OfmkvSL_^>MxZvguE|ZN;X3$~^%2856JL z6#oO0wCEL_dk3mG^ItXmZV60?Is$z5J@iw?g@Y3u`r~f%y~p+g(nA+3BE;v4nW(H{ z5mvX0_q4v9WkIza&9>~w;DZK zkDhBr$F-S7jtLye9G%h-45r=<#>}HolkOO25f74gi_yEq1RFin%N!l4{C|T1ni_fv z12@1Qygoy12)P6NQ|8^?2LMK=bBYiE!Ja3EBV@}36_#8HiQtrH8Ff}?~3`ofhlxb8v!8i4!Ge5BiwQl8?k4A z255vM05DJ?5%gn=yT{-Q5lBCL$iYq23A;G06AbYQu;N&Tfi?mGxAW9MRI~|gILHig zLK>fX;2-A^oiUs5>Jwlu!qlXr{sLPMVql((_&k5hq~&AySEsBQ_MsvCYoC2|EMN~L|skE0oRUJ`E}>O59`!~w|u#K$Cn z5@*2*%vtJdVOj!j4l}|!U?$?7^XX-a=zDp^$4|LZzV>w&HI1&198orQ{Q#w@q^%SQ z;)ShCaq$SHz$95$Qhf|!N_BQU#d$bfNR}eGHF&rn^P#o8@q*-M7P8Dg${ zv#)y~4T100UVVnVh|2TQCH|X`|lGkflY2kr7>`3#e*K3YTFJ!3b z^&b1!;Pv`EMfEh+Kxplf7auMoER4X=+_XM=bV@c2dC z<^lFR9!6}Emz*BJsBroynBup}RXHj&b^GmlNs&%#inmINI@UX5`m2}2mHbA2I4K#L zF+22^cCP|D$sbLT8p7!1)X*%(YXeq~Qu@x@lu*6*mOmu?lRRF=%z4b?eb1#lUY99( zS{jN5(>xxDT*~9qq7SLoQ0DR3O25r=VcLowDp5%ta=cy9>`p~(c9CKvyGSvb=eyxn z<#V-{?b=`0dANkG*U?t|Sm>H$*x2Fa4dc8V=V?4$NU;`)I>{JCeL%8~zeL=8HY26c zLjx;K-TL^?-Fkb9RPZi-HxwZJm0OJw^4@>NYmF{KBIMwY>zI^2o+i=8z-d+HwU`ov z5Ic`ca8WQAmtLchrpMgYm_;E+Wo#Z{2bS0m^zEzBU|52=u#bSomR#OSqFnYa-Va%* zdDA;V;Bf;J2lYWvd@t>^^o{ff@!$T;@w)hM;_8j~YndJKicyZ3;s8#}^a@>P}^G}VnsI$#?M z$lxBo2Cz;Kan}3oBd`o->yPURBdvEgz{2x>@1iY@hgGFlzDUM{Nmj=7t2V)@FVeY0 zr2s?jD-z)qD^B(W>al8_$}d?j#nd?7UFLSd1x>?wu z7qY7SWPH1QIUFMS@mBKc@h$4ju}_B+o?ZsUGM*G0Usf=T`OveD>+mx8Q1HK42};$d z*fT#Z=8vJg2`4W_UYU!K;#>2f(?gXUgqHZQAupbm1g1bXmFa|8 zOwLGP5Q5>W)*wt9LYcT|Z9-<&AcU`gCTmy})__D{Mg(lXTmFhQRDxkm*k_~T-;Mkc zf>0Z^hDEMP;8GZkuu>Hxrvix1|8@oo?0Jr(vSK6t|d*f_ZtKGPt3{xq-O=2TRO( zFyfp!oiL}jnA3teEtz8$De=)JxE^@0Oj)G#<@+gf@XU<4FgKVBGi4sXN9F?{d=Bpj z-tYZeMPM$pe^i|^mlNh$?%9^N1rf5O*iX}U#$3i%8b3EMmjVBfxd_iOiTU^ks_X6D zUE4Q=byhd6f%w%3#oM~py87)#Ac5Gq$})pd2-HdG434WnYlm}As2;;41hII100j!H*` zqukLzrDcR@Wn|m63bHs}D>qAVqEkKNgaQwxd20-34I`_WB2HQ-jg#6**p_rsILV!4PEsd{ z6V?gigmywXA)OFTa3`1(bkKp3hA7r>(-X<{O0PsmRmUWilv_saOfjeE|HyQ=_CUs^()nA2^@@VO=o&DGu#>G4D}@77{LsP)7EJ-kYHj(3G17_@9S0xp?WDS zrC?56*Q{qVBb^a9NpwuHR@+9kw$Zwi4e#1oS#N_)XPSCuv@_}^iAHvs)cwk=q-dxm zk~NgC$Vzis6W-|=C1AwXSy-)|RnAIhg|pmQ=8ecwXNf0kfcQwZ=Y0cGFl9Aa^@fsW c)kw!T k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _45 : (); + var _46 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _47 : (); + var _48 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _49 : (); + var _50 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _51 : (); + var _52 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _46 <- Borrow.borrow_mut l1; + l1 <- ^ _46; + _45 <- ([#"../src/lib.rs" 555 4 555 19] PushBack0.push_back _46 ([#"../src/lib.rs" 555 17 555 18] (5 : int32))); + _46 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB25 + } + BB25 { + _48 <- Borrow.borrow_mut l2; + l2 <- ^ _48; + _47 <- ([#"../src/lib.rs" 556 4 556 19] PushBack0.push_back _48 ([#"../src/lib.rs" 556 17 556 18] (5 : int32))); + _48 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB26 + } + BB26 { + _50 <- Borrow.borrow_mut l3; + l3 <- ^ _50; + _49 <- ([#"../src/lib.rs" 557 4 557 19] PushBack0.push_back _50 ([#"../src/lib.rs" 557 17 557 18] (5 : int32))); + _50 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB27 + } + BB27 { + _52 <- Borrow.borrow_mut l4; + l4 <- ^ _52; + _51 <- ([#"../src/lib.rs" 558 4 558 19] PushBack0.push_back _52 ([#"../src/lib.rs" 558 17 558 18] (5 : int32))); + _52 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB28 + } + BB28 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-06/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-06/why3session.xml new file mode 100644 index 0000000..e9cc503 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-06/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-06/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-06/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..8cf618f5885601adb1463149b83c9fe7dce89ff2 GIT binary patch literal 3552 zcmV<64IlC!iwFP!00000|J_%OB__f~m$JzJ(a9r=Uf1jz@{a^1+ zzt`*S_lhiHi&iu>S;ZE2^+SE^PyYXkSE5pttaR1`U%q#VMD!egsd*qI<8Lt!)cE|@ z`T=Ik#a;C{TkQ_B=X(DHbe`JX^YhE8k9>K>(-uS}a0`!5|JXhE^~?6hq22@2KzjII zMutnzK*H=_ciSEpK7Xsfulpac@31QtKbL`#THL{sy4`J0&~dCmM4Qd-$J6t!>o=9D zw=bK`(`NT&-NLDVJG}JEuq(5e11CEfUjm`J>kjeTW*?Jz3)t8%4;7^?@k_SA>S=%I zzt@}H?%T_Lx`%qR-hS)5&H8wHI_1tX4@Yw%pUeI=>Eqla5`5n*xf|EEUK5Gdf6rQg309S<;%g2 zZm3u0Y7x15C8}3V#tZeTE9w=C(S7t{uxK+{v`tM3azR`0!ix&R$&}*ZpttUy_oshV zl(iti2Rz)+<&SkdMQPya`7j3S0|V=qh2v5ihG`J)VO?)eKS3`X41QMBETA<^HpAre zK3rjd^C#5vC(v_6VcVjjz)~-8Tvt>rqCBbc+n7q9sz9y&?Pb5|Nmv9bNhhSCM`XgC zOyw5_l5GKzbF%_u3xG6q1k|EvR`iltB}v?08{T@`_pU z#b`AuHPvWgbhI!%S{OqMOEyRcWH)Fcp$(en;n4NB{^_{>ci*8VMHJSgdl}72WOge@ zyOl@?trXkQ_ zCkzeWnGUB$7pAswP)5!il#%NW%1CffQ*n_w7#H<%z5TN3PrGf!rhdvj0Qngcuj3T| z1CzAq6`XqqsyOpsHT-S~Oo%c9eD*!`Q^tjZ6CC>EZu7mz_5;#G7b_yf=ZcvqtYYLI zMqo|F)cm?zq**BXMa&FX2+A6Uf{P#*zYAuuiHCx93_-=yfVn*MDwJ&3gQO}ZDkej> zyaE{P8j>)O9!p5Y*f~-$Rw5O;4Wk3z4Dvij9TC$XF?0mf5r{fsK%L~=a&&GrdbA!r z*Nl#9Gm9J(IFdO!r6Cwhy&H^~$4yPTW1K}iNZu_*?-mnm^iVHzbfohC4F+gx=qU`` z0DtiM47DNT4)9NzcY7ZI7@f{3LI4b3jsbu=qhJsH^A3EL0aZRqHGC$-2_ng7u2CFd z(0_}KmgZ6k%QLCuYojDsO0L)tLj2Lh@WH(+=Jy7s&~0r5fV?~4h98V@%Smj+o&g%5 z5mW$Rph6<(#};>w!51Qse)y1so2V0Zaat!B;uB!Su?z!k1Ojg7se!0y6WVatGwc)6 z_|yacIFIOz*?d=@0DBRpCLQ$`IC|Iy=E;c9^S4Y|K8AmF%9`OE8p6N!*|*j=vu~U_ zuYZ1MDNF?mENFmyhn~c-{s8?g2nwj1H&Q1s6{tr^QtS?RDcjZ0cmGc3w zVgIlTGLOjWTd`YY*SLEefL)N{KxiyVSISgMrE|!SqZxT#5^o;rJXU?g0m%Nu$Fu<@ z&Vm(~v((qZv;^K9W`uRXOvF3q)5{jo_wtI5pK_sm?dvW|8eJbb;@;SG1xiy%TPYH@ z7mhB)MHNbcNwTh_`WUt;)!FqF=izX%vlNl{yZzJZ0JwJd7y&}i1P~b}j94Mw2oOT0 zWM0iv!~4D%(h(sm!7CxA0DNDg;#M{j4&EWN>^!jc8$H{xWL9aKLyk5&n3lG%cM4C^%UUOV}Awxy4 z_t?h{-%3a5`7Q~XxBDo2H;ZogeGDbi_8@m5Ju$9iW>fAw;>lHbS=CnZBO zW{3XL?nOW+`J*XPLm0iB8k)s;ZNTbLO5b^#5~}y!@`r?flE=%KIgfd~@41x6>oO%z zOGD9Mn#UuNOL=@+^dZ$6$~-<>>5o}1Oh?f}B`S$Sj<+kC-KnU}E>etS7b!;bd^g;x ze6IGgUHj`g50}vOI@*dK3tf{88$0}d!#FR;c^Xd_QmjRyOfp7M9+0f#FA)!)%}8nV z(7;Mlw?6)Jx89y26}*ez4Fw2)ay!T)6TBD1Q2s!xUIwqx$r%ALipsmWh7E@vn zV&`!QE(!+Y(rYx*^qAWkvncja8JkDgfhG0>efw%O7?xlz>?5GDC6~97D3`s9_d^zH z-tcxB0Zq@1E- zz2EoS?s^GpTEU`cC9Etqrf?c#W2y|vv0#-Iw?c(##30IZ41%vQOONqt#35g_N~t+b zA(#fVLi|51C!{CvM%C~%Qj$%D$vC1?&-iRIS#cjKQ^Pw-3@g*elWWKDOYmE!*sF01 z;TdI;Uf~HsB1J2d#qE=C$y zoM#N1VLJ8sNt{lG*EX~r6O6I69aGqjiLZ73G&!6%u^6W|-zVsYuminh#N5L=R|G1j$*O{g3+=-_f`vl@FIFguQ}6qf$-${ROt zNxpBIpK%Qv&+&19)bN!6^~T>iu<6BwpWRH-1A-oJ0w#O!BUy?|Z(dO*FRT8YdB{ek zKhnH>m4zwgHAP&jV6#R3Od<1U3YBHoV3m0R+1sfN_U=6(>&A{Sn0%F`22FKik`!!X z0U6xm*8tY(A!X8uSkSftT@>hsK=^xD!*jC6jS4Pcd_$O#2(8}%#Kw}R`FQh2rZaemNC%vd{svI zGIuP@U>O5PLPZ8|@xBTUH^z%H;~+CEX>fj#ewK>*JchG`kOe1(obX9usEaW3>1JVr zUdXC)&G>fvayUft(kQcQjfhmwpWjbLN z6CDW*LNI*Q8iZ*>C=(a0O~}j|gzy#6WDSeL8juLgh=A=+%U`jEN-(Sm`)qXlyOBRa z5NgxkuEo0F7`QZ^N*n)_5+bM8l_rZxj-w}OCVUM+GZG#>JHC>P3{}Yx!=HbsNok&z zmC^-6F<~ffF%$(uQ8Gk3@#V^tjA&jdQ7~i^hU^wYRxm8{HjRZ`|HeZTLs}_1WvFb< z5WYr+C0MEed$FIU?~$RxCp}GYE*hY+l`@gJGLuSO`|*0t{Ss<(o-vYiRX9dp!?yOpuFYkJ!BEo9qNajDy`X~1M?D{Ixv zD0P%L>x|P*IT@Ex)7i#YYF2_!xnirXtJ}7rQW$O+6*I;hqmB_rt)s?K?Wl58Iw~CH zjs_|%BSb4B+pblR#qnAZ(MqFC*Y=u8H50^f>$q`TJFXm;j>FcuQacI9l1>UIxs%LE>LhW( zI$@m9PADg&6T%7Z1apE8GBDB*#TssUBDr4amFTGIn52?&%cz|x<`n%Onb5|Vrd^S~ zC##M#)^;_-9@@g$8fE&`Olzl=)6!|-G_PMd)Q6Dvws-}HT7w@L`rOJOMm zbK<&YJ)0TnjJQdnV~VxfHmbFa)}3s4*Vf8<8*Dn$)H9=BJXr(8N3tuBbJs8{da<%xn@-g& aSX3|k|E(ZE7A6uJr~d~-ZtUB%E&u>);@E%y literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-07.mlcfg b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-07.mlcfg new file mode 100644 index 0000000..23e0c7c --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-07.mlcfg @@ -0,0 +1,5766 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"../../../../creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _45 : (); + var _46 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _47 : (); + var _48 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _49 : (); + var _50 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _51 : (); + var _52 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _53 : (); + var _54 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _55 : (); + var _56 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _57 : (); + var _58 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _59 : (); + var _60 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _46 <- Borrow.borrow_mut l1; + l1 <- ^ _46; + _45 <- ([#"../src/lib.rs" 555 4 555 19] PushBack0.push_back _46 ([#"../src/lib.rs" 555 17 555 18] (5 : int32))); + _46 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB25 + } + BB25 { + _48 <- Borrow.borrow_mut l2; + l2 <- ^ _48; + _47 <- ([#"../src/lib.rs" 556 4 556 19] PushBack0.push_back _48 ([#"../src/lib.rs" 556 17 556 18] (5 : int32))); + _48 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB26 + } + BB26 { + _50 <- Borrow.borrow_mut l3; + l3 <- ^ _50; + _49 <- ([#"../src/lib.rs" 557 4 557 19] PushBack0.push_back _50 ([#"../src/lib.rs" 557 17 557 18] (5 : int32))); + _50 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB27 + } + BB27 { + _52 <- Borrow.borrow_mut l4; + l4 <- ^ _52; + _51 <- ([#"../src/lib.rs" 558 4 558 19] PushBack0.push_back _52 ([#"../src/lib.rs" 558 17 558 18] (5 : int32))); + _52 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB28 + } + BB28 { + _54 <- Borrow.borrow_mut l1; + l1 <- ^ _54; + _53 <- ([#"../src/lib.rs" 560 4 560 19] PushBack0.push_back _54 ([#"../src/lib.rs" 560 17 560 18] (6 : int32))); + _54 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB29 + } + BB29 { + _56 <- Borrow.borrow_mut l2; + l2 <- ^ _56; + _55 <- ([#"../src/lib.rs" 561 4 561 19] PushBack0.push_back _56 ([#"../src/lib.rs" 561 17 561 18] (6 : int32))); + _56 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB30 + } + BB30 { + _58 <- Borrow.borrow_mut l3; + l3 <- ^ _58; + _57 <- ([#"../src/lib.rs" 562 4 562 19] PushBack0.push_back _58 ([#"../src/lib.rs" 562 17 562 18] (6 : int32))); + _58 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB31 + } + BB31 { + _60 <- Borrow.borrow_mut l4; + l4 <- ^ _60; + _59 <- ([#"../src/lib.rs" 563 4 563 19] PushBack0.push_back _60 ([#"../src/lib.rs" 563 17 563 18] (6 : int32))); + _60 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB32 + } + BB32 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-07/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-07/why3session.xml new file mode 100644 index 0000000..b689af3 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-07/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-07/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-07/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..fb36eb18e192d8d9539fc467fb0448f158f9aef9 GIT binary patch literal 3559 zcmV%OB__f~m$JzJ(a9r=Uf1jz@{a^1+ zzt`*S_lhiHi&iu>S;ZE2^+SE^PyYXkSE5pttaR1`U%q#VMD!egsd*qI<8Lt!)cE|@ z`T=Ik#a;C{TkQ_B=X(DHbe`JX^YhE8k9>K>(-uS}a0`!5|JXhE^~?6hq22@2KzjII zMutnzK*H=_ciSEpK7Xsfulpac@31QtKbL`#THL{sy4`J0&~dCmM4Qd-$J6t!>o=9D zw=bK`(`NT&-NLDVJG}JEuq(5e11CEfUjm`J>kjeTW*?Jz3)t8%4;7^?@k_SA>S=%I zzt@}H?%T_Lx`%qR-hS)5&H8wHI_1tX4@Yw%pUeI=>Eqla5`5n*xf|EEUK5Gdf6rQg309S<;%g2 zZm3u0Y7x15C8}3V#tZeTE9w=C(S7t{uxK+{v`tM3azR`0!ix&R$&}*ZpttUy_oshV zl(iti2Rz)+<&SkdMQPya`7j3S0|V=qh2v5ihG`J)VO?)eKS3`X41QMBETA<^HpAre zK3rjd^C#5vC(v_6VcVjjz)~-8Tvt>rqCBbc+n7q9sz9y&?Pb5|Nmv9bNhhSCM`XgC zOyw5_l5GKzbF%_u3xG6q1k|EvR`iltB}v?08{T@`_pU z#b`AuHPvWgbhI!%S{OqMOEyRcWH)Fcp$(en;n4NB{^_{>ci*8VMHJSgdl}72WOge@ zyOl@?trXkQ_ zCkzeWnGUB$7pAswP)5!il#%NW%1CffQ*n_w7#H<%z5TN3PrGf!rhdvj0Qngcuj3T| z1CzAq6`XqqsyOpsHT-S~Oo%c9eD*!`Q^tjZ6CC>EZu7mz_5;#G7b_yf=ZcvqtYYLI zMqo|F)cm?zq**BXMa&FX2+A6Uf{P#*zYAuuiHCx93_-=yfVn*MDwJ&3gQO}ZDkej> zyaE{P8j>)O9!p5Y*f~-$Rw5O;4Wk3z4Dvij9TC$XF?0mf5r{fsK%L~=a&&GrdbA!r z*Nl#9Gm9J(IFdO!r6Cwhy&H^~$4yPTW1K}iNZu_*?-mnm^iVHzbfohC4F+gx=qU`` z0DtiM47DNT4)9NzcY7ZI7@f{3LI4b3jsbu=qhJsH^A3EL0aZRqHGC$-2_ng7u2CFd z(0_}KmgZ6k%QLCuYojDsO0L)tLj2Lh@WH(+=Jy7s&~0r5fV?~4h98V@%Smj+o&g%5 z5mW$Rph6<(#};>w!51Qse)y1so2V0Zaat!B;uB!Su?z!k1Ojg7se!0y6WVatGwc)6 z_|yacIFIOz*?d=@0DBRpCLQ$`IC|Iy=E;c9^S4Y|K8AmF%9`OE8p6N!*|*j=vu~U_ zuYZ1MDNF?mENFmyhn~c-{s8?g2nwj1H&Q1s6{tr^QtS?RDcjZ0cmGc3w zVgIlTGLOjWTd`YY*SLEefL)N{KxiyVSISgMrE|!SqZxT#5^o;rJXU?g0m%Nu$Fu<@ z&Vm(~v((qZv;^K9W`uRXOvF3q)5{jo_wtI5pK_sm?dvW|8eJbb;@;SG1xiy%TPYH@ z7mhB)MHNbcNwTh_`WUt;)!FqF=izX%vlNl{yZzJZ0JwJd7y&}i1P~b}j94Mw2oOT0 zWM0iv!~4D%(h(sm!7CxA0DNDg;#M{j4&EWN>^!jc8$H{xWL9aKLyk5&n3lG%cM4C^%UUOV}Awxy4 z_t?h{-%3a5`7Q~XxBDo2H;ZogeGDbi_8@m5Ju$9iW>fAw;>lHbS=CnZBO zW{3XL?nOW+`J*XPLm0iB8k)s;ZNTbLO5b^#5~}y!@`r?flE=%KIgfd~@41x6>oO%z zOGD9Mn#UuNOL=@+^dZ$6$~-<>>5o}1Oh?f}B`S$Sj<+kC-KnU}E>etS7b!;bd^g;x ze6IGgUHj`g50}vOI@*dK3tf{88$0}d!#FR;c^Xd_QmjRyOfp7M9+0f#FA)!)%}8nV z(7;Mlw?6)Jx89y26}*ez4Fw2)ay!T)6TBD1Q2s!xUIwqx$r%ALipsmWh7E@vn zV&`!QE(!+Y(rYx*^qAWkvncja8JkDgfhG0>efw%O7?xlz>?5GDC6~97D3`s9_d^zH z-tcxB0Zq@1E- zz2EoS?s^GpTEU`cC9Etqrf?c#W2y|vv0#-Iw?c(##30IZ41%vQOONqt#35g_N~t+b zA(#fVLi|51C!{CvM%C~%Qj$%D$vC1?&-iRIS#cjKQ^Pw-3@g*elWWKDOYmE!*sF01 z;TdI;Uf~HsB1J2d#qE=C$y zoM#N1VLJ8sNt{lG*EX~r6O6I69aGqjiLZ73G&!6%u^6W|-zVsYuminh#N5L=R|G1j$*O{g3+=-_f`vl@FIFguQ}6qf$-${ROt zNxpBIpK%Qv&+&19)bN!6^~T>iu<6BwpWRH-1A-oJ0w#O!BUy?|Z(dO*FRT8YdB{ek zKhnH>m4zwgHAP&jV6#R3Od<1U3YBHoV3m0R+1sfN_U=6(>&A{Sn0%F`22FKik`!!X z0U6xm*8tY(A!X8uSkSftT@>hsK=^xD!*jC6jS4Pcd_$O#2(8}%#Kw}R`FQh2rZaemNC%vd{svI zGIuP@U>O5PLPZ8|@xBTUH^z%H;~+CEX>fj#ewK>*JchG`kOe1(obX9usEaW3>1JVr zUdXC)&G>fvayUft(kQcQjfhmwpWjbLN z6CDW*LNI*Q8iZ*>C=(a0O~}j|gzy#6WDSeL8juLgh=A=+%U`jEN-(Sm`)qXlyOBRa z5NgxkuvtaF0dY-hr8#~gL!Ze^_Pnw~a&3)wbRTb7mD6owl{#f&k>sAI%Y>!@*5 zJE|O&jtWP)qk&4x2+_*Owrdq+alBSUw9+WkwY_Fi%>;4WI&K`-jw{EdKP{#cqq+VV>oLVS&q?5u) z?j&=PI!TTej)+ytZ_OepSDe08( zQc^rqqXJ=A)zzev420CLRHG$uFt#CMb=XP7h8lK?e>84#zf(`F#S#EKHuH+|pN ztr9}@QdmmCoVc!8&t^tCBW{xDm}0HAjcRS9btfC%wY9R|2Aj?_^~`8z)J+nN?7&s} zm03yAP)j6hC|{A4=Cmff(=$rIh^@1*T05(pmCg!hxwFh0k)_TOPu2kOj4ZdL1sctY hOJ+OXHQ*G|bi~r0DQSQ#Oe8c;{}1!+(owW7006{+>bw8| literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-08.mlcfg b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-08.mlcfg new file mode 100644 index 0000000..686b708 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-08.mlcfg @@ -0,0 +1,5802 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"../../../../creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _45 : (); + var _46 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _47 : (); + var _48 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _49 : (); + var _50 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _51 : (); + var _52 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _53 : (); + var _54 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _55 : (); + var _56 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _57 : (); + var _58 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _59 : (); + var _60 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _61 : (); + var _62 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _63 : (); + var _64 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _65 : (); + var _66 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _67 : (); + var _68 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _46 <- Borrow.borrow_mut l1; + l1 <- ^ _46; + _45 <- ([#"../src/lib.rs" 555 4 555 19] PushBack0.push_back _46 ([#"../src/lib.rs" 555 17 555 18] (5 : int32))); + _46 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB25 + } + BB25 { + _48 <- Borrow.borrow_mut l2; + l2 <- ^ _48; + _47 <- ([#"../src/lib.rs" 556 4 556 19] PushBack0.push_back _48 ([#"../src/lib.rs" 556 17 556 18] (5 : int32))); + _48 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB26 + } + BB26 { + _50 <- Borrow.borrow_mut l3; + l3 <- ^ _50; + _49 <- ([#"../src/lib.rs" 557 4 557 19] PushBack0.push_back _50 ([#"../src/lib.rs" 557 17 557 18] (5 : int32))); + _50 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB27 + } + BB27 { + _52 <- Borrow.borrow_mut l4; + l4 <- ^ _52; + _51 <- ([#"../src/lib.rs" 558 4 558 19] PushBack0.push_back _52 ([#"../src/lib.rs" 558 17 558 18] (5 : int32))); + _52 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB28 + } + BB28 { + _54 <- Borrow.borrow_mut l1; + l1 <- ^ _54; + _53 <- ([#"../src/lib.rs" 560 4 560 19] PushBack0.push_back _54 ([#"../src/lib.rs" 560 17 560 18] (6 : int32))); + _54 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB29 + } + BB29 { + _56 <- Borrow.borrow_mut l2; + l2 <- ^ _56; + _55 <- ([#"../src/lib.rs" 561 4 561 19] PushBack0.push_back _56 ([#"../src/lib.rs" 561 17 561 18] (6 : int32))); + _56 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB30 + } + BB30 { + _58 <- Borrow.borrow_mut l3; + l3 <- ^ _58; + _57 <- ([#"../src/lib.rs" 562 4 562 19] PushBack0.push_back _58 ([#"../src/lib.rs" 562 17 562 18] (6 : int32))); + _58 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB31 + } + BB31 { + _60 <- Borrow.borrow_mut l4; + l4 <- ^ _60; + _59 <- ([#"../src/lib.rs" 563 4 563 19] PushBack0.push_back _60 ([#"../src/lib.rs" 563 17 563 18] (6 : int32))); + _60 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB32 + } + BB32 { + _62 <- Borrow.borrow_mut l1; + l1 <- ^ _62; + _61 <- ([#"../src/lib.rs" 565 4 565 19] PushBack0.push_back _62 ([#"../src/lib.rs" 565 17 565 18] (7 : int32))); + _62 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB33 + } + BB33 { + _64 <- Borrow.borrow_mut l2; + l2 <- ^ _64; + _63 <- ([#"../src/lib.rs" 566 4 566 19] PushBack0.push_back _64 ([#"../src/lib.rs" 566 17 566 18] (7 : int32))); + _64 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB34 + } + BB34 { + _66 <- Borrow.borrow_mut l3; + l3 <- ^ _66; + _65 <- ([#"../src/lib.rs" 567 4 567 19] PushBack0.push_back _66 ([#"../src/lib.rs" 567 17 567 18] (7 : int32))); + _66 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB35 + } + BB35 { + _68 <- Borrow.borrow_mut l4; + l4 <- ^ _68; + _67 <- ([#"../src/lib.rs" 568 4 568 19] PushBack0.push_back _68 ([#"../src/lib.rs" 568 17 568 18] (7 : int32))); + _68 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB36 + } + BB36 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-08/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-08/why3session.xml new file mode 100644 index 0000000..132f57a --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-08/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-08/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-08/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..685c69cfca315860717b2fa1d72cfd1c97debb1b GIT binary patch literal 3558 zcmVi~h^)?C`aD?hmu?{r<4tZT~(~v)jMk z9Di@t+wYz%Qj2<;o6NJtO>@^A`eXRtb1%H|((9rJzC!N<647(~rRI^4OuxlEQseVq zn>&~-7dQTXw%YAyPtEfq(0OckPfst$KJn$A=Pd{?a0~a3|JXhC&CB-3zIg_wk@WEW zkQhD$1`=lfy4&`+@abFgeck_neaBs~^!X4Osl^Q}Y1-ZP2pxw8M6}uLemp+yx_;wL zvwhiY9yhx$>lRM^+y140h`Tb2IdHO*@dqH(blpCE+u~y~Zvh+o<<3*ulCWe8tRA2D z{r6_G+kJa^p6;R9the9#ZnHidACJ3l{nk?gTj=^f66Iq2`M5v8Fi>s+y~o`ue$7jE z=a2edvWXJ;IW#x@_RH}rtl9SaGqZ<147&fZikwc>3wAeAFH7oWs9ttXydild( zM_1Gp8L*v3@)R7GmdZ!gcAp2S6IC3qzwL9~|^eMrk%RPXtf=rYy9 ze8SiWo%wKTbYW^M2W8~MK^eL1po~NZHJ*#Y!MJD+>+P3Kf81?7oBAma02F3SypB`+ z4@}acS8yI2$a5CH8u;B3n2=-y_#ArZr-BOyC)oFg-R66b?K`B0E>=Z|&z_kitZL*I zMqrI+YJS-*@+=hnB4q|F24xLH(M6C;*afrL#6!V4hM*E?z+4`C6-u`2K~kOx&t&YD z7XX7@LJ|hjV;QL!J4GtSYNSH9VRXQoL7u0mBU1V!hK`6j0#Qc{sFR&rj?S${kJh8- zn$dA>VUc43M+!%$GzNpIcY`tWw5dsVinE9Z*}KK)-C}}`0qSLmj#U1?!2rz-J%xcQ z;16D3pf-fu0sbiqZXW^wqtiK62!P@9F#u3!6zsl#+JVn9pvp(7#?Op6Q6%NeHHrfa z`fsVx(o!mMc_Ec@ZIT4b$rT$yNI04pK6r4&^4`D{x~)wBPER7?cJ*y83s`a%NI4>H=f zo1gDm3RA%XD;gl*p(k@}K0tp9f&%L1jnoND1?owX6uToHg;wfj7uMgw&t|#X?{`1? z?kB*QNtn}+OLMP*rfgR0ZL{%;eVk5#e?UqxBtBr15E_fpUKy`cK8O4`no-~-@#djUW7S6-fb36v%o|YR zBv^qtOMNL!OW@66MqCHXM7nc6zHAYF&#(CSsT9iBzUh*r(e;rd?u}hmpfp}uuSncp zJh~KTRVW1}$=XZxF>X_;lj|wY!{KUYIU+yro*!3xz_pwE1Q3E|fG99w#0v37fDkGt z^J<fs~hkdX}@E+SZihYKy-+C_&KcuX6!Yu#}!krhx`Ctqwso#u+6V{eZo2$x0e8qpT%t+ zVK3le!X|mn=>d!?r%xMG{93uHM1^J3e!E;!q|=(>wUVMv_0E+3>WASy$h% zjYWfL9*;!MQrlcUm zPU8|>6b#0t*J$MFDYrFdQSHMUTSnM{CH4b-`)V{8mS8R%BA~G~m$#Crm%WSkT@h;D z^iB|YT*1Uad=M1hOFJ)pBmH6fZ-3@^efy()-XqEP?_*^1=kEqR`_GrSx8yxi&e5@X ze(ty3DF4UT8P~A!5+4Uhjb9m1ul%h8n_f)#$;~7`An5TXV2bxXQlz-_>J?@3vKro*hip`a zBhBkqS(s8^Q^chTHd~a>6taA#P(^kPR#_I1gPq!F@4*9#ZtRGI*;iR^&|EhrS;00H zkik8EjbNQ0;%xBSdte!L8`SlPkv6y+VBu+haM6|~W%>Ndm&gP#DayEE)h0UiSvu#a zRA9(MMIydprOBZ{JyxxA`K9Qkm>Q?Mi=D?J_E>&mcC2bL&r^LPwqR;q#z5B#RT&k^ z+^H~wWegmN6&bw6hblPS7|+U#gUqm`!TDMGMJgKd7|t?6R-71e!Y75HF2c;GtA!1E zCaWqn6WZ;|exJyXw~|-Yw`ewpJ}W0ay$ph7JPS6xtY8=mp=X`e;briy;(xXhl&evx zXMSAF?_+rrG%rP2nM;roTJxb5U`>{96he$R$-LzGp-K*$miVwC&uU8oQy`nmbiynq zIuaO!VECdn2-C(;CeB)$kcBk}5h|eB8Wxo`AQ70606UzPzhVtuFsuoOY;^p)kw0P( zYIS;{rlig?pa;VP34dHcbMz$CTd|ntnuJV}P52yQXItN=VRT+GCMS$ZWK6uZiLZrR zpHA6YQ*yQD3R7#QJk$5c(xM8j@iwOkR)>4`l;I?&hOa9ORmD)%3^CSQCMUm!d(A86bi%xNxoKt1JUVro|NPX@nmMM@hT+`E9A@QI+K}vP)>*x54Fs>HP`qs#-Ro6v1#e|L6OKFPs3SKkV{NzW>9TJj)uxI|-FC~RQVnfo zqn0yD9VN~>6_)k$=!XPi*rp)_xe;cUssYNm*j)=A@}b`p*yofJ-TCz+Gf zN#cZc!Z@LwP)y&Xy2U#iQlypi2DJfp4 zQGqb5>Kf8X214prYN;h~Ft#CMb=XP7fIkN`D;84#zf(`F#S#0ug{zwGsC=EQZwdNwoC8F7_F#}sR|U8>eDweIAScWt9=u)$?#md(s)XVg^^OWA4C^eeNH zVo5ELY)ScwtTd+$;hmmA2y)gs3#+xW%30~GaF#pEf)QEjED2-{5Fg1ZN(BW6S@o*v gL`$`STtu>#FhD><4UmP2gr@2L0ac(uHnA=M0J9&~`~Uy| literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-09.mlcfg b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-09.mlcfg new file mode 100644 index 0000000..fb4d9a8 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-09.mlcfg @@ -0,0 +1,5838 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"../../../../creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _45 : (); + var _46 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _47 : (); + var _48 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _49 : (); + var _50 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _51 : (); + var _52 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _53 : (); + var _54 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _55 : (); + var _56 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _57 : (); + var _58 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _59 : (); + var _60 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _61 : (); + var _62 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _63 : (); + var _64 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _65 : (); + var _66 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _67 : (); + var _68 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _69 : (); + var _70 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _71 : (); + var _72 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _73 : (); + var _74 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _75 : (); + var _76 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _46 <- Borrow.borrow_mut l1; + l1 <- ^ _46; + _45 <- ([#"../src/lib.rs" 555 4 555 19] PushBack0.push_back _46 ([#"../src/lib.rs" 555 17 555 18] (5 : int32))); + _46 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB25 + } + BB25 { + _48 <- Borrow.borrow_mut l2; + l2 <- ^ _48; + _47 <- ([#"../src/lib.rs" 556 4 556 19] PushBack0.push_back _48 ([#"../src/lib.rs" 556 17 556 18] (5 : int32))); + _48 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB26 + } + BB26 { + _50 <- Borrow.borrow_mut l3; + l3 <- ^ _50; + _49 <- ([#"../src/lib.rs" 557 4 557 19] PushBack0.push_back _50 ([#"../src/lib.rs" 557 17 557 18] (5 : int32))); + _50 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB27 + } + BB27 { + _52 <- Borrow.borrow_mut l4; + l4 <- ^ _52; + _51 <- ([#"../src/lib.rs" 558 4 558 19] PushBack0.push_back _52 ([#"../src/lib.rs" 558 17 558 18] (5 : int32))); + _52 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB28 + } + BB28 { + _54 <- Borrow.borrow_mut l1; + l1 <- ^ _54; + _53 <- ([#"../src/lib.rs" 560 4 560 19] PushBack0.push_back _54 ([#"../src/lib.rs" 560 17 560 18] (6 : int32))); + _54 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB29 + } + BB29 { + _56 <- Borrow.borrow_mut l2; + l2 <- ^ _56; + _55 <- ([#"../src/lib.rs" 561 4 561 19] PushBack0.push_back _56 ([#"../src/lib.rs" 561 17 561 18] (6 : int32))); + _56 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB30 + } + BB30 { + _58 <- Borrow.borrow_mut l3; + l3 <- ^ _58; + _57 <- ([#"../src/lib.rs" 562 4 562 19] PushBack0.push_back _58 ([#"../src/lib.rs" 562 17 562 18] (6 : int32))); + _58 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB31 + } + BB31 { + _60 <- Borrow.borrow_mut l4; + l4 <- ^ _60; + _59 <- ([#"../src/lib.rs" 563 4 563 19] PushBack0.push_back _60 ([#"../src/lib.rs" 563 17 563 18] (6 : int32))); + _60 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB32 + } + BB32 { + _62 <- Borrow.borrow_mut l1; + l1 <- ^ _62; + _61 <- ([#"../src/lib.rs" 565 4 565 19] PushBack0.push_back _62 ([#"../src/lib.rs" 565 17 565 18] (7 : int32))); + _62 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB33 + } + BB33 { + _64 <- Borrow.borrow_mut l2; + l2 <- ^ _64; + _63 <- ([#"../src/lib.rs" 566 4 566 19] PushBack0.push_back _64 ([#"../src/lib.rs" 566 17 566 18] (7 : int32))); + _64 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB34 + } + BB34 { + _66 <- Borrow.borrow_mut l3; + l3 <- ^ _66; + _65 <- ([#"../src/lib.rs" 567 4 567 19] PushBack0.push_back _66 ([#"../src/lib.rs" 567 17 567 18] (7 : int32))); + _66 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB35 + } + BB35 { + _68 <- Borrow.borrow_mut l4; + l4 <- ^ _68; + _67 <- ([#"../src/lib.rs" 568 4 568 19] PushBack0.push_back _68 ([#"../src/lib.rs" 568 17 568 18] (7 : int32))); + _68 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB36 + } + BB36 { + _70 <- Borrow.borrow_mut l1; + l1 <- ^ _70; + _69 <- ([#"../src/lib.rs" 570 4 570 19] PushBack0.push_back _70 ([#"../src/lib.rs" 570 17 570 18] (8 : int32))); + _70 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB37 + } + BB37 { + _72 <- Borrow.borrow_mut l2; + l2 <- ^ _72; + _71 <- ([#"../src/lib.rs" 571 4 571 19] PushBack0.push_back _72 ([#"../src/lib.rs" 571 17 571 18] (8 : int32))); + _72 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB38 + } + BB38 { + _74 <- Borrow.borrow_mut l3; + l3 <- ^ _74; + _73 <- ([#"../src/lib.rs" 572 4 572 19] PushBack0.push_back _74 ([#"../src/lib.rs" 572 17 572 18] (8 : int32))); + _74 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB39 + } + BB39 { + _76 <- Borrow.borrow_mut l4; + l4 <- ^ _76; + _75 <- ([#"../src/lib.rs" 573 4 573 19] PushBack0.push_back _76 ([#"../src/lib.rs" 573 17 573 18] (8 : int32))); + _76 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB40 + } + BB40 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-09/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-09/why3session.xml new file mode 100644 index 0000000..149bd7e --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-09/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-09/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-09/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..bbc41f1cea7eaade1386b7e505a1734c1d506446 GIT binary patch literal 3554 zcmV<84IT0yiwFP!00000|J_e^`9)_lNav`}c)f-2V0E z_^@Oas|;{}t+kC#7; zc68-H=+$V^X0m9TniBMaw&0Z)4+tkyikpMpx_^2; z{;Q&_1r6Te=Eg3+t-~>D19#8IF<2iMSidZ6m)bB)gL3!ldVBl{dSPSmv!Z4Nt#Ps$ zC!hA=3Im)!;W>YTbFL_eEh-8u^$N#zMb#?mlPWL9T>Df7YV~g~&zqivMQ|i(hcxtv zOu4hE{LDbIEg*7gR)A~)kj9RHS`^KSo-?atiP5ZBJRf$|ta6Dfo|~0GvznP5FU(3_ zFe|>AtVX4#nk>^5@Vg~2A?gV5+4s;-85a&tu0?7L@IO}Mn}9E^?8aqBBnoL>TA zQ5|5=e~XQl=2{8MGp*!nqb68NuGknt{MN+y!M!Wy_XeiWZEXaAygT5AAB=FzNo>TP z5gMQojsUVbcpM|8$)zN?Rby$DmYj`|C1J&1vMGUD^{Et4MZ!@oLZ&9Dy*;a~ggTkEUY zH%?vFKi{jtiOYwb+g;= zcR%{>C%~9lnA4C;^GX9vSr6-Ny{Q!YIG+OlfRtiLieeghcxev(?=Stf?Jvr%ya&9p zKj1aW4^oh2L{{I5-6Ffj-Qoa9L5dBbu_#?BQz@19AwN!LwuYvch1L`Eu!!F6(2w4O8MH?UDPzXK5|6a*yRJ1rjoW& zB#0NbF2&g+lme4vT}kyZh$+>{^%Upfa3NWW$j`gy$6*h+c5@#ALeK;d8753vA>IfO zLZxJ0EmOn$z8KRHAuGWvA?5&q=^HS~TwSala$gjr68h8^IrjbxKVP#`L82du!plA7 zGhWWI7bw5#;S*(_k&PZM0$78G3$h$r57&I%4}%^`*T_>^53UuL9&&@BKsI~MP&h-( zm2dWS52PXRUE8bAkXI3JGp{$J*PGJoxBVYS@AU?~-kkG#Eh{ZNP=_69KKFXfap{>1 z6}{eL9~-@1pQfnZr`08|SIPt8=eQ1-vDdsFSIoU0@&j~@%2D4dOkHYtLfT+)uWWY^EM?^@4e-Z3I8mQmoamm@_65KE|1q` zN}iU6qQN|mM9Qiq&wS2Vj*QJY<)7|AYDjOO`n zxK;UF?Pa_6*L5B)q3djH!{ByV79wQaJi{Fd|2!G{PQ-r+rU-4R_i;xI8`29L2rT52Kv@vj6m3b|u z#2~~@;}TpH492C`Xr$>ew>4%}$Wa-aN7#`i_5*$UYBU&^U@q(Sdqrov<#QK@HoHkqxs4V9_!9VLd9`Qyo@ZTKblEmQ2( zC_;EfnWa~_gOEtkPzI$K%0h9JO4QeCtkNghc_}O(OP9|thp#CoDvux+I6IHiBREcn zz*6CynPqCsj)3V|gwZL&urk8vR2ycA&@2d*D{fPPNaNyAI4+dOQUXpxx!jkKRH`g1 zzd5_gwj$G3WRd{Wmd`$P-o{GhXMeJ{V+fuasdR|bV`aLKMnq{CjTP!x+xGOh|3Oz1 z4J^(xhRraY`urqLC*x}y+KvgvSlW&$Y{$gcI=>s8Y-h5mV8t@GVtK`iWnsndvA}Rw zkE;q-3y$EE%!ec38`xrT>Bow;%w7;%k{x5LYmY*x95m?Ya!FW?J$INLM^_3>8{xFCcq6wZY!K2V~vY5eAd5vecldZcNev z+gLyb_xLq{b$W=i-f!=LWjI@ZT#p!Oy}JPxp7wheZD~BLD!uYWG9FB_GOk~>2~K^M z&N(Ut7;;~c2(MUivM*3iRqIrK$$BZK#_{fAm!XI~m7kcMs+z3gvAz*nFtsdWpzHan zjPhmfSeU^w29AV^4Bp~>6&!AiXLZIwXIRqU{4D(}74>-xX9*z-P7FEWlfqaRVdm4- z!UjE)Rplq++wIGKAIVR*l2?y!Rc{V`I-KzIGAfqwq}ceff?>>uo^@P@m%+P&|Jh1V zsz$}0<#DyV59Libc`5SBT!a+gT8=FbYchYM5MshfR!N>7s^loN#D@)e_Ov801+uA3 zC(LSgMgoHn3}3VcVcHPN#93<-GP4FDd<8UF!>X_bBmy%cVEf(jSFE8D3~RzZ8=d}c zc(h$WOZh9iQ9`qnOsyZgAq}(!U7m7JW|3@aYF{Wt; z()VQOIAd*BL;RsF?5$Cz9~N3Wt(=xl3#Yl$%xUU0amqSnoYG!bN;xH+5?)J+XUC{O z8CG>Q=_CUs^@D1(1P;cwrZc@+814*nhI$fkj9>=DY3sBZNiZ>hi}y|6_jRj;P`wnE zQZOg3Yu2-ckV7bT6b-dR zvWD`344TuL@J=rP5}dWp!fNfTa#lJkoaN3kZ$y?lOFUTv#3!;t%{$(9(hkzdL6L^k cus_{_U)6S~2OtX*360bL0~l*pCb%vD0FbKR{Qv*} literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-10.mlcfg b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-10.mlcfg new file mode 100644 index 0000000..2d54219 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-10.mlcfg @@ -0,0 +1,5874 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"../../../../creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _45 : (); + var _46 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _47 : (); + var _48 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _49 : (); + var _50 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _51 : (); + var _52 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _53 : (); + var _54 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _55 : (); + var _56 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _57 : (); + var _58 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _59 : (); + var _60 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _61 : (); + var _62 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _63 : (); + var _64 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _65 : (); + var _66 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _67 : (); + var _68 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _69 : (); + var _70 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _71 : (); + var _72 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _73 : (); + var _74 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _75 : (); + var _76 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _77 : (); + var _78 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _79 : (); + var _80 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _81 : (); + var _82 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _83 : (); + var _84 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _46 <- Borrow.borrow_mut l1; + l1 <- ^ _46; + _45 <- ([#"../src/lib.rs" 555 4 555 19] PushBack0.push_back _46 ([#"../src/lib.rs" 555 17 555 18] (5 : int32))); + _46 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB25 + } + BB25 { + _48 <- Borrow.borrow_mut l2; + l2 <- ^ _48; + _47 <- ([#"../src/lib.rs" 556 4 556 19] PushBack0.push_back _48 ([#"../src/lib.rs" 556 17 556 18] (5 : int32))); + _48 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB26 + } + BB26 { + _50 <- Borrow.borrow_mut l3; + l3 <- ^ _50; + _49 <- ([#"../src/lib.rs" 557 4 557 19] PushBack0.push_back _50 ([#"../src/lib.rs" 557 17 557 18] (5 : int32))); + _50 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB27 + } + BB27 { + _52 <- Borrow.borrow_mut l4; + l4 <- ^ _52; + _51 <- ([#"../src/lib.rs" 558 4 558 19] PushBack0.push_back _52 ([#"../src/lib.rs" 558 17 558 18] (5 : int32))); + _52 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB28 + } + BB28 { + _54 <- Borrow.borrow_mut l1; + l1 <- ^ _54; + _53 <- ([#"../src/lib.rs" 560 4 560 19] PushBack0.push_back _54 ([#"../src/lib.rs" 560 17 560 18] (6 : int32))); + _54 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB29 + } + BB29 { + _56 <- Borrow.borrow_mut l2; + l2 <- ^ _56; + _55 <- ([#"../src/lib.rs" 561 4 561 19] PushBack0.push_back _56 ([#"../src/lib.rs" 561 17 561 18] (6 : int32))); + _56 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB30 + } + BB30 { + _58 <- Borrow.borrow_mut l3; + l3 <- ^ _58; + _57 <- ([#"../src/lib.rs" 562 4 562 19] PushBack0.push_back _58 ([#"../src/lib.rs" 562 17 562 18] (6 : int32))); + _58 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB31 + } + BB31 { + _60 <- Borrow.borrow_mut l4; + l4 <- ^ _60; + _59 <- ([#"../src/lib.rs" 563 4 563 19] PushBack0.push_back _60 ([#"../src/lib.rs" 563 17 563 18] (6 : int32))); + _60 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB32 + } + BB32 { + _62 <- Borrow.borrow_mut l1; + l1 <- ^ _62; + _61 <- ([#"../src/lib.rs" 565 4 565 19] PushBack0.push_back _62 ([#"../src/lib.rs" 565 17 565 18] (7 : int32))); + _62 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB33 + } + BB33 { + _64 <- Borrow.borrow_mut l2; + l2 <- ^ _64; + _63 <- ([#"../src/lib.rs" 566 4 566 19] PushBack0.push_back _64 ([#"../src/lib.rs" 566 17 566 18] (7 : int32))); + _64 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB34 + } + BB34 { + _66 <- Borrow.borrow_mut l3; + l3 <- ^ _66; + _65 <- ([#"../src/lib.rs" 567 4 567 19] PushBack0.push_back _66 ([#"../src/lib.rs" 567 17 567 18] (7 : int32))); + _66 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB35 + } + BB35 { + _68 <- Borrow.borrow_mut l4; + l4 <- ^ _68; + _67 <- ([#"../src/lib.rs" 568 4 568 19] PushBack0.push_back _68 ([#"../src/lib.rs" 568 17 568 18] (7 : int32))); + _68 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB36 + } + BB36 { + _70 <- Borrow.borrow_mut l1; + l1 <- ^ _70; + _69 <- ([#"../src/lib.rs" 570 4 570 19] PushBack0.push_back _70 ([#"../src/lib.rs" 570 17 570 18] (8 : int32))); + _70 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB37 + } + BB37 { + _72 <- Borrow.borrow_mut l2; + l2 <- ^ _72; + _71 <- ([#"../src/lib.rs" 571 4 571 19] PushBack0.push_back _72 ([#"../src/lib.rs" 571 17 571 18] (8 : int32))); + _72 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB38 + } + BB38 { + _74 <- Borrow.borrow_mut l3; + l3 <- ^ _74; + _73 <- ([#"../src/lib.rs" 572 4 572 19] PushBack0.push_back _74 ([#"../src/lib.rs" 572 17 572 18] (8 : int32))); + _74 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB39 + } + BB39 { + _76 <- Borrow.borrow_mut l4; + l4 <- ^ _76; + _75 <- ([#"../src/lib.rs" 573 4 573 19] PushBack0.push_back _76 ([#"../src/lib.rs" 573 17 573 18] (8 : int32))); + _76 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB40 + } + BB40 { + _78 <- Borrow.borrow_mut l1; + l1 <- ^ _78; + _77 <- ([#"../src/lib.rs" 575 4 575 19] PushBack0.push_back _78 ([#"../src/lib.rs" 575 17 575 18] (9 : int32))); + _78 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB41 + } + BB41 { + _80 <- Borrow.borrow_mut l2; + l2 <- ^ _80; + _79 <- ([#"../src/lib.rs" 576 4 576 19] PushBack0.push_back _80 ([#"../src/lib.rs" 576 17 576 18] (9 : int32))); + _80 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB42 + } + BB42 { + _82 <- Borrow.borrow_mut l3; + l3 <- ^ _82; + _81 <- ([#"../src/lib.rs" 577 4 577 19] PushBack0.push_back _82 ([#"../src/lib.rs" 577 17 577 18] (9 : int32))); + _82 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB43 + } + BB43 { + _84 <- Borrow.borrow_mut l4; + l4 <- ^ _84; + _83 <- ([#"../src/lib.rs" 578 4 578 19] PushBack0.push_back _84 ([#"../src/lib.rs" 578 17 578 18] (9 : int32))); + _84 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB44 + } + BB44 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-10/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-10/why3session.xml new file mode 100644 index 0000000..191502f --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-10/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-10/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-10/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..b94f01faf0d31fb9601298f8073b411dfc924484 GIT binary patch literal 3544 zcmV;}4JYy+iwFP!00000|J_Zp0 z?}y0n!84FB``6uez=coW+VAV(2gn_yV)64KFj9*fSkiX8?GZW-EvRU-+5LEY+V#Vx zG41wcvw7U?zN|ag^>6!^;UP$67IWZaC*u!5sO|fG{IDtygL zcIUVHU$O}r`Pnx&!}iPZE3DZL`!ln%4EgMTtOBRg;|05$950K<%kX&Fx#IUh7ehrlthFpe=ai#RJ00l;Y-~w;i6I zkN;{Y>p+8dxVhZrw{T(pPv_RD5C?zRn^`YHDS0?7Mk;h0Ml;@IeV(F@i0O~W9RYO&qK?R@lbl3yC0r*;Ij;<@=>edGa*h;NjYHvfOTWoZ+)Jj-hXr){mHNjGH#c~MoTNC+%dsi&)4NRfi+6Vw;cfbul7~z(a*oZwD z8lVx50Kh#Nx} zPMxgJ8q2}}j*QIizA10MNS>}D6%-@(szx!dn| zKZgD%z?eyx(~wK^MgvXRuGZUj(v5eDbB;;O0pD@pLfrXt3BY_&3yz2K@&g}m@s06cq2dv zm6CZiPYv(;BBvulHi9=oOaTJZH(*k@x>!7vz9>i|^rK@YWSlqszT*M>_Exxr8%n>}YJoFV4Q zH~YE=(h&Hr?bT<n@W;`6y+N-x=e%CaMhg$rVMm%zyg=s4~SE7qHz zZ+a&PJg#73Rv!e#_tH*F-$*};|Mq8&*To<8^BzsUUyhN@pDzu1_Mflu#*+7FIYr0z z`FYs(mrGdF3Kl&nVHL44h0_=tQ)Nhw1*@XC6)IFC22oyO5PXeUdW=^i4*8;0O3i5s z!8D*1;{WksLV5ykROP3Unrtde#u1fz#%GhsirY|`%I_#KtV|zIE^Wgv!Ec#juSOBV zGs+~r!X1P}iiR>M#ZVTCqg0~47P(5FWaqW8JeMw?Uk+bWPE;R3DR6Nfr$=xc4}qn^ zIWzOrm>dDqlL(_zgkg1r(Wy4f5}`>Ds#n~m0+GhWp>SL&kEH~hhH|+tA*obZR(^AK zQEWw~t;i$+rY)a+=)8@U%Fq5}Z*vG98>w`N(_>}2l14;n7>yO`SljmWxc@;HBMmIh zGltDDo%;MFPAB=b4Q*E_gG-KtH)K9 zs|82!N#?^5@C|ISy7Xg3TNW>f9Vw16*0r+`sss(1T`mc$vF8r6CRN@!m&@6qjDTqD)>^{X28cMy21< zyndC1DfKl)T&iHRMfpr2%V!EzWY=JoWdYgSsSWn-J)r2ujxd;fm8Awvbz_na*v0}f zxW}&ntkXlB^?rK~EW_FQ<9ftM>)j2o@U-8%Xh-8=HR+WvlJQ_tlyUv4O>pY7bk0$! zz>xcjM0mxDlYN1DtXik?OVLX)HI8=|I}b(dvHZmBSk+_=kM)hvf~j>G16|KoWt1;- z$HEMjF>oYQWbhX6tKe{BJgYMfI>V9%=V$2`si@CmI7RkgqcrQ3mf!I zR#l#iZ+9>IeI!5LN?tv_MY}l+>2Si+OI9r7NwM)|1;dyRJ?pp*FN1d#|Fe~#RE>%~ z^W$QEAIh6>@=}zQxd>g;=_hKds-5h0@+li6J{|v zBY{B(hA&!!FkJ{`;;gj^Sy+P*z5<%8VNqEF5`h^Ju>EfNE7s5mhBaZIjgEge@<#|l zUGyA4ELBG?7UB_usK9dO#Q+;8e?jBJt-q%i*(NKV_q&sfGx~hNS)6bVfeG>iniBe1WDrZ)6t}`pjSl|p;8?q1VgsGI(oXM0kxyqT;oXH7i5;*%;ZJRjzG@ICp zGo2)s{&VDPYR>VB5C>@PC^%EhA>mZR{E%Mw$6>0n9AE=P)pATvorqW>ckx-@3lt;jHtRnHmg`WE62 z?O<<9Wro#EYp0dd(rMu|cbYj(ohD9Mr;JnD>q;r7q*KCcN%7(s6)3~1z9qe6prm1? zmRbS_V>{EE!ORSIhB-q$2{=YD1LCxG+GG+;tSDi_au|lTQ$nag3QH-N6W1*p*vv?0 z#8nbKQ>@c=sXDvVx|d7dcdfGC2A92AwlkxhQCCSUWv@v)tjtP^CACDdCFLu!(ww%0 z_j(2{?yPkdR%>UKv(j1NEO(Z9BeK+4;>j8yK9Z$cw4&3UHY>#`NGC+chEB_lDXuvO SvM`a*IQ>5v9xKPNE&u>`cGGnL literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-11.mlcfg b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-11.mlcfg new file mode 100644 index 0000000..f441a27 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-11.mlcfg @@ -0,0 +1,5910 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"../../../../creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _45 : (); + var _46 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _47 : (); + var _48 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _49 : (); + var _50 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _51 : (); + var _52 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _53 : (); + var _54 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _55 : (); + var _56 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _57 : (); + var _58 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _59 : (); + var _60 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _61 : (); + var _62 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _63 : (); + var _64 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _65 : (); + var _66 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _67 : (); + var _68 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _69 : (); + var _70 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _71 : (); + var _72 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _73 : (); + var _74 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _75 : (); + var _76 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _77 : (); + var _78 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _79 : (); + var _80 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _81 : (); + var _82 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _83 : (); + var _84 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _85 : (); + var _86 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _87 : (); + var _88 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _89 : (); + var _90 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _91 : (); + var _92 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _46 <- Borrow.borrow_mut l1; + l1 <- ^ _46; + _45 <- ([#"../src/lib.rs" 555 4 555 19] PushBack0.push_back _46 ([#"../src/lib.rs" 555 17 555 18] (5 : int32))); + _46 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB25 + } + BB25 { + _48 <- Borrow.borrow_mut l2; + l2 <- ^ _48; + _47 <- ([#"../src/lib.rs" 556 4 556 19] PushBack0.push_back _48 ([#"../src/lib.rs" 556 17 556 18] (5 : int32))); + _48 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB26 + } + BB26 { + _50 <- Borrow.borrow_mut l3; + l3 <- ^ _50; + _49 <- ([#"../src/lib.rs" 557 4 557 19] PushBack0.push_back _50 ([#"../src/lib.rs" 557 17 557 18] (5 : int32))); + _50 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB27 + } + BB27 { + _52 <- Borrow.borrow_mut l4; + l4 <- ^ _52; + _51 <- ([#"../src/lib.rs" 558 4 558 19] PushBack0.push_back _52 ([#"../src/lib.rs" 558 17 558 18] (5 : int32))); + _52 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB28 + } + BB28 { + _54 <- Borrow.borrow_mut l1; + l1 <- ^ _54; + _53 <- ([#"../src/lib.rs" 560 4 560 19] PushBack0.push_back _54 ([#"../src/lib.rs" 560 17 560 18] (6 : int32))); + _54 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB29 + } + BB29 { + _56 <- Borrow.borrow_mut l2; + l2 <- ^ _56; + _55 <- ([#"../src/lib.rs" 561 4 561 19] PushBack0.push_back _56 ([#"../src/lib.rs" 561 17 561 18] (6 : int32))); + _56 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB30 + } + BB30 { + _58 <- Borrow.borrow_mut l3; + l3 <- ^ _58; + _57 <- ([#"../src/lib.rs" 562 4 562 19] PushBack0.push_back _58 ([#"../src/lib.rs" 562 17 562 18] (6 : int32))); + _58 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB31 + } + BB31 { + _60 <- Borrow.borrow_mut l4; + l4 <- ^ _60; + _59 <- ([#"../src/lib.rs" 563 4 563 19] PushBack0.push_back _60 ([#"../src/lib.rs" 563 17 563 18] (6 : int32))); + _60 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB32 + } + BB32 { + _62 <- Borrow.borrow_mut l1; + l1 <- ^ _62; + _61 <- ([#"../src/lib.rs" 565 4 565 19] PushBack0.push_back _62 ([#"../src/lib.rs" 565 17 565 18] (7 : int32))); + _62 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB33 + } + BB33 { + _64 <- Borrow.borrow_mut l2; + l2 <- ^ _64; + _63 <- ([#"../src/lib.rs" 566 4 566 19] PushBack0.push_back _64 ([#"../src/lib.rs" 566 17 566 18] (7 : int32))); + _64 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB34 + } + BB34 { + _66 <- Borrow.borrow_mut l3; + l3 <- ^ _66; + _65 <- ([#"../src/lib.rs" 567 4 567 19] PushBack0.push_back _66 ([#"../src/lib.rs" 567 17 567 18] (7 : int32))); + _66 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB35 + } + BB35 { + _68 <- Borrow.borrow_mut l4; + l4 <- ^ _68; + _67 <- ([#"../src/lib.rs" 568 4 568 19] PushBack0.push_back _68 ([#"../src/lib.rs" 568 17 568 18] (7 : int32))); + _68 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB36 + } + BB36 { + _70 <- Borrow.borrow_mut l1; + l1 <- ^ _70; + _69 <- ([#"../src/lib.rs" 570 4 570 19] PushBack0.push_back _70 ([#"../src/lib.rs" 570 17 570 18] (8 : int32))); + _70 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB37 + } + BB37 { + _72 <- Borrow.borrow_mut l2; + l2 <- ^ _72; + _71 <- ([#"../src/lib.rs" 571 4 571 19] PushBack0.push_back _72 ([#"../src/lib.rs" 571 17 571 18] (8 : int32))); + _72 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB38 + } + BB38 { + _74 <- Borrow.borrow_mut l3; + l3 <- ^ _74; + _73 <- ([#"../src/lib.rs" 572 4 572 19] PushBack0.push_back _74 ([#"../src/lib.rs" 572 17 572 18] (8 : int32))); + _74 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB39 + } + BB39 { + _76 <- Borrow.borrow_mut l4; + l4 <- ^ _76; + _75 <- ([#"../src/lib.rs" 573 4 573 19] PushBack0.push_back _76 ([#"../src/lib.rs" 573 17 573 18] (8 : int32))); + _76 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB40 + } + BB40 { + _78 <- Borrow.borrow_mut l1; + l1 <- ^ _78; + _77 <- ([#"../src/lib.rs" 575 4 575 19] PushBack0.push_back _78 ([#"../src/lib.rs" 575 17 575 18] (9 : int32))); + _78 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB41 + } + BB41 { + _80 <- Borrow.borrow_mut l2; + l2 <- ^ _80; + _79 <- ([#"../src/lib.rs" 576 4 576 19] PushBack0.push_back _80 ([#"../src/lib.rs" 576 17 576 18] (9 : int32))); + _80 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB42 + } + BB42 { + _82 <- Borrow.borrow_mut l3; + l3 <- ^ _82; + _81 <- ([#"../src/lib.rs" 577 4 577 19] PushBack0.push_back _82 ([#"../src/lib.rs" 577 17 577 18] (9 : int32))); + _82 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB43 + } + BB43 { + _84 <- Borrow.borrow_mut l4; + l4 <- ^ _84; + _83 <- ([#"../src/lib.rs" 578 4 578 19] PushBack0.push_back _84 ([#"../src/lib.rs" 578 17 578 18] (9 : int32))); + _84 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB44 + } + BB44 { + _86 <- Borrow.borrow_mut l1; + l1 <- ^ _86; + _85 <- ([#"../src/lib.rs" 580 4 580 20] PushBack0.push_back _86 ([#"../src/lib.rs" 580 17 580 19] (10 : int32))); + _86 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB45 + } + BB45 { + _88 <- Borrow.borrow_mut l2; + l2 <- ^ _88; + _87 <- ([#"../src/lib.rs" 581 4 581 20] PushBack0.push_back _88 ([#"../src/lib.rs" 581 17 581 19] (10 : int32))); + _88 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB46 + } + BB46 { + _90 <- Borrow.borrow_mut l3; + l3 <- ^ _90; + _89 <- ([#"../src/lib.rs" 582 4 582 20] PushBack0.push_back _90 ([#"../src/lib.rs" 582 17 582 19] (10 : int32))); + _90 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB47 + } + BB47 { + _92 <- Borrow.borrow_mut l4; + l4 <- ^ _92; + _91 <- ([#"../src/lib.rs" 583 4 583 20] PushBack0.push_back _92 ([#"../src/lib.rs" 583 17 583 19] (10 : int32))); + _92 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB48 + } + BB48 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-11/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-11/why3session.xml new file mode 100644 index 0000000..5b673cb --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-11/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-11/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-11/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..ac5b0d9a87a6acec89628db304949a602e09186c GIT binary patch literal 3549 zcmV<34I=U%iwFP!00000|J_>MZzH)4f6rgxw`;Q~AW`4Nedvzi|4LM{(v_-A(Su*1_koC*IsMY}NJypMavrIP z`LFdI&Q^VCG`?PpK*^CQxEY<5piFUKzN6_v;$$V!q3_mBVBJ$3cV_Q$?{My8Q; z|NW2{J_H5|XaBm}cC_&6Tm60A{Xn^+RFFO&A|t)H!6kLG+a9swP@{@Ao86Dcr(N4^ zDqC+~Hk-%I?#sHtUH`U!=^mm~b}>gzZZ!UYgzC24r*Bt$jOHy+uwU*f&Knk%Y?0OD z^S=9DZ+5$HFVABc>dkult!p>y!}0OB`_^qM&QOH5`y){<#-ES-0}dnQI?#LEt>V|b zWOsh6|0SEKk)K0z(`~;Tzv7y0w?8wxm!UuVAFIge^mx(kM#l^3c!7==&K)nBOnJQG zp|_(e$E(U?k>&9!I$k{*pB%5gaJ+IcxQ|)%7HtQMcDbogFJucrdFg;?GUv28?5(?} z=i|RB4h?GXjyBhKg>4;+P3Kcie3&82hOR02F47 zyiRcX4^7gMR|pXts1gvqYW&?WoRD;c_#Arpr-F+>C)js~-R65o?K`4JE;fk}pDVCQ zS(A}l9Kkge==o*0$g@cGi*%!m_JQqEkH zI?$m1mKqH&wGx*XS}E5iO+ZerpbsHoYqI|k!4=DU188zvmjIybj<^v96Wj`x8mXs; z25iJ5KrqlT5e#FCoBQYs2}nPDD8WtE8M_3pGYp9lu+mt8fi3}oaP!wZ zVj7=&@ShL~ohh4d>my<>!PKau{(@VNVo;t;_&k5hq=)Xn_+NsNcRPbF4pLe}jrb>h_J)8BRs&Nt2wqBOZlT>V^yJ@9<~6-0kJ`QFScqzJh=+jvBkp?jPlOMAH zTAlA3v2!`P$WO(log~aU|K`@&PJaDOYJ0 z#fw{4^6U{RNlCJ)l>QjSRQlw4O7m!VB3X{e&%5Wx)gE!}<~{+0(^jsb$wH)K+{x?DVzz9?BG&8aU6>irpizGkPAB|nrCFAtQ@ zc)6fnr2MLf50pbj)_b^&V2vIw*}QK(T=VrXjCz>5Mw!wEaIJ(2kQ)sJv)OZoB7iVg zz1i0TkjB7wZLc9iUL?FNyx#U+Z>L_r?fy6hueap&_MF!nRT&w8I_}7bvDX_xOV4De zi~$K(>i1ZuX#PK7<)bD2jm)s*K2}pamDKs*10HN0z7dR zw?%}#fQJd2)H$a|Fq$}h5=@J0<*E`DmUZ*(a!HYoYl_!OiYC=NQ~GNj`YZXB{BTq< zv_p0nF6}`De3U=hNot6r=Tk$w7_JReJ<933XmUdJ-dld3@Q?C%l``icj}JZP@^~{% z$@9`!G#KacMC4o^pBH_|wT5XPU#tw13$@G{?x zx2lkRvx-Q}+biGct62@ZJD8r_XAa5KO({Yi<^M#aZk))G?QPKw{>-0;e%@;Fr z8r?Uj($uaG|J<#&$3%th;x~N(B3!xk5Fu~FSGv}iNl3&T{C=I1();5m+E_fT%Dxs; zQV@dExP%u4OL6Hn8hLukZLM8QIV9(7Gv?x00AHdl&D! zBGkO;ognhKf{DHQFetv4c3%2M`n~vXf97~y{6RnO(d7H(7})&z(vWBW`5LbrdykfL zbgZAByKQ^9gf*^U@sko(5gT(jO|daohSX57DvDdNLN#Cz7bOPa*N~;Bcs1ZqC|c#z zoaYeCBU%yuA0I}fNASjV|1>fsn+ua^MCYF2*<`fhHddzkca#)X#*ZhLwh@-lx5}~C zkO=V^Wt3jg4q_t3V;PiFD2v5Wu1H^tzDl2E7gJ$HU%GsLIeg7I(ewyPfs6AvJ%ZzK z2#^csVCT6pIs!1G2xD@DfoX&>xi$=$&?pE^SKQ_Tk)g%0a6C~S0DXX zVRLR#Y(?d*s4M}cEuTZ^yiJwL&*5Zm`w%=da_Nw!r^@t18kwX4o+{L-wjJn+@PjV~ z8dRJIpk|!TLw=H`v;MV>Y{y1poZ60^*p5xFbzwIq+sNDxd8vX8i}IO5mCqEq$ga^U%K~z+Qy1+$ctFuj9dR)GD&z*wbz_zf z*rft8y2q~(tn)*h3x0c#EaTaR<9eh>8{7@C@U%a;Xv5QCRr!@KkqKZ@lySqVO?2wB zbk0$kfT0K#iTH|@CWiv`P_@qGm!g+bYMkyaZXS!+L-`5ZP}PJ=r20l|;nZmvgIq6E zWppTWr@{=CF=!-KWat(js^EBIJgYN-I-`w40axK9L`8C9fXeqTU?3d^qvxrB^J7tl0FjLSZa~o^@JBm%+OU|Fe~# zT#ZUS^W$QEAIqC~@=BJKxdbVpHSb#i)>QdMA?1LRP$`igs#GtuqK6H2_Oui-MY6d} zC+%W%Mv{UM4qvneX`2|z&k4Vk*Z;;uf6^&pgggas(@YUJg7Z z4pTYUSPpho4mOp8oyfr=XCCJ#Il>=5xGYDwjWIWogOBbX;d78< z&^ohhEXJ^<)S{_t)0tK0q-az#lU{i6+_RgNb*^1@eAzXaadRz{Y1-vd>zX&J*2@{^ zo-^;f^~P(j(lTyax3rGim1JD4VAZyD(=54?R#@P22H=5vV4geAt>?yb?YZ(?dM-SV zR2pE+XsepG(U{4JS~J-wt8LqK29%yj=7saZdSSfKUMMe6bm0Yf!M$J}oCoW{c+ehD zIO#zkVb`s2|7d=))g1`Nk%u;-u~xtm*lMPkSI#TzmGKIfY*wu6*s2u( zOscpBK8RL!iMtLK>5#E3|+#BY#^V)iCg08goT6rylmb562QKK@PZfn*m zKqYl6y)+6rSl8Irc6Mfkx8N-gB=8u~446008{3lrx#A4EW!H6eqovfHl8$pUCt+&n zU}lxK@+yfIG&II7b>o)Cv}!5Zrq(Xl;Ig&LdS;Ec`YMT~Y7MKqm0c;hlR6K-MDhf$Yk4Qs^b`z;(4;txRJvoOQgF XfJR!QcQBmDc$)qngzX}&xGn$ytep4& literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-12.mlcfg b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-12.mlcfg new file mode 100644 index 0000000..eee7dad --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-12.mlcfg @@ -0,0 +1,5946 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"../../../../creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _45 : (); + var _46 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _47 : (); + var _48 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _49 : (); + var _50 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _51 : (); + var _52 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _53 : (); + var _54 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _55 : (); + var _56 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _57 : (); + var _58 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _59 : (); + var _60 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _61 : (); + var _62 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _63 : (); + var _64 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _65 : (); + var _66 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _67 : (); + var _68 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _69 : (); + var _70 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _71 : (); + var _72 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _73 : (); + var _74 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _75 : (); + var _76 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _77 : (); + var _78 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _79 : (); + var _80 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _81 : (); + var _82 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _83 : (); + var _84 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _85 : (); + var _86 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _87 : (); + var _88 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _89 : (); + var _90 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _91 : (); + var _92 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _93 : (); + var _94 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _95 : (); + var _96 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _97 : (); + var _98 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _99 : (); + var _100 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _46 <- Borrow.borrow_mut l1; + l1 <- ^ _46; + _45 <- ([#"../src/lib.rs" 555 4 555 19] PushBack0.push_back _46 ([#"../src/lib.rs" 555 17 555 18] (5 : int32))); + _46 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB25 + } + BB25 { + _48 <- Borrow.borrow_mut l2; + l2 <- ^ _48; + _47 <- ([#"../src/lib.rs" 556 4 556 19] PushBack0.push_back _48 ([#"../src/lib.rs" 556 17 556 18] (5 : int32))); + _48 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB26 + } + BB26 { + _50 <- Borrow.borrow_mut l3; + l3 <- ^ _50; + _49 <- ([#"../src/lib.rs" 557 4 557 19] PushBack0.push_back _50 ([#"../src/lib.rs" 557 17 557 18] (5 : int32))); + _50 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB27 + } + BB27 { + _52 <- Borrow.borrow_mut l4; + l4 <- ^ _52; + _51 <- ([#"../src/lib.rs" 558 4 558 19] PushBack0.push_back _52 ([#"../src/lib.rs" 558 17 558 18] (5 : int32))); + _52 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB28 + } + BB28 { + _54 <- Borrow.borrow_mut l1; + l1 <- ^ _54; + _53 <- ([#"../src/lib.rs" 560 4 560 19] PushBack0.push_back _54 ([#"../src/lib.rs" 560 17 560 18] (6 : int32))); + _54 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB29 + } + BB29 { + _56 <- Borrow.borrow_mut l2; + l2 <- ^ _56; + _55 <- ([#"../src/lib.rs" 561 4 561 19] PushBack0.push_back _56 ([#"../src/lib.rs" 561 17 561 18] (6 : int32))); + _56 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB30 + } + BB30 { + _58 <- Borrow.borrow_mut l3; + l3 <- ^ _58; + _57 <- ([#"../src/lib.rs" 562 4 562 19] PushBack0.push_back _58 ([#"../src/lib.rs" 562 17 562 18] (6 : int32))); + _58 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB31 + } + BB31 { + _60 <- Borrow.borrow_mut l4; + l4 <- ^ _60; + _59 <- ([#"../src/lib.rs" 563 4 563 19] PushBack0.push_back _60 ([#"../src/lib.rs" 563 17 563 18] (6 : int32))); + _60 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB32 + } + BB32 { + _62 <- Borrow.borrow_mut l1; + l1 <- ^ _62; + _61 <- ([#"../src/lib.rs" 565 4 565 19] PushBack0.push_back _62 ([#"../src/lib.rs" 565 17 565 18] (7 : int32))); + _62 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB33 + } + BB33 { + _64 <- Borrow.borrow_mut l2; + l2 <- ^ _64; + _63 <- ([#"../src/lib.rs" 566 4 566 19] PushBack0.push_back _64 ([#"../src/lib.rs" 566 17 566 18] (7 : int32))); + _64 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB34 + } + BB34 { + _66 <- Borrow.borrow_mut l3; + l3 <- ^ _66; + _65 <- ([#"../src/lib.rs" 567 4 567 19] PushBack0.push_back _66 ([#"../src/lib.rs" 567 17 567 18] (7 : int32))); + _66 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB35 + } + BB35 { + _68 <- Borrow.borrow_mut l4; + l4 <- ^ _68; + _67 <- ([#"../src/lib.rs" 568 4 568 19] PushBack0.push_back _68 ([#"../src/lib.rs" 568 17 568 18] (7 : int32))); + _68 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB36 + } + BB36 { + _70 <- Borrow.borrow_mut l1; + l1 <- ^ _70; + _69 <- ([#"../src/lib.rs" 570 4 570 19] PushBack0.push_back _70 ([#"../src/lib.rs" 570 17 570 18] (8 : int32))); + _70 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB37 + } + BB37 { + _72 <- Borrow.borrow_mut l2; + l2 <- ^ _72; + _71 <- ([#"../src/lib.rs" 571 4 571 19] PushBack0.push_back _72 ([#"../src/lib.rs" 571 17 571 18] (8 : int32))); + _72 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB38 + } + BB38 { + _74 <- Borrow.borrow_mut l3; + l3 <- ^ _74; + _73 <- ([#"../src/lib.rs" 572 4 572 19] PushBack0.push_back _74 ([#"../src/lib.rs" 572 17 572 18] (8 : int32))); + _74 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB39 + } + BB39 { + _76 <- Borrow.borrow_mut l4; + l4 <- ^ _76; + _75 <- ([#"../src/lib.rs" 573 4 573 19] PushBack0.push_back _76 ([#"../src/lib.rs" 573 17 573 18] (8 : int32))); + _76 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB40 + } + BB40 { + _78 <- Borrow.borrow_mut l1; + l1 <- ^ _78; + _77 <- ([#"../src/lib.rs" 575 4 575 19] PushBack0.push_back _78 ([#"../src/lib.rs" 575 17 575 18] (9 : int32))); + _78 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB41 + } + BB41 { + _80 <- Borrow.borrow_mut l2; + l2 <- ^ _80; + _79 <- ([#"../src/lib.rs" 576 4 576 19] PushBack0.push_back _80 ([#"../src/lib.rs" 576 17 576 18] (9 : int32))); + _80 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB42 + } + BB42 { + _82 <- Borrow.borrow_mut l3; + l3 <- ^ _82; + _81 <- ([#"../src/lib.rs" 577 4 577 19] PushBack0.push_back _82 ([#"../src/lib.rs" 577 17 577 18] (9 : int32))); + _82 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB43 + } + BB43 { + _84 <- Borrow.borrow_mut l4; + l4 <- ^ _84; + _83 <- ([#"../src/lib.rs" 578 4 578 19] PushBack0.push_back _84 ([#"../src/lib.rs" 578 17 578 18] (9 : int32))); + _84 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB44 + } + BB44 { + _86 <- Borrow.borrow_mut l1; + l1 <- ^ _86; + _85 <- ([#"../src/lib.rs" 580 4 580 20] PushBack0.push_back _86 ([#"../src/lib.rs" 580 17 580 19] (10 : int32))); + _86 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB45 + } + BB45 { + _88 <- Borrow.borrow_mut l2; + l2 <- ^ _88; + _87 <- ([#"../src/lib.rs" 581 4 581 20] PushBack0.push_back _88 ([#"../src/lib.rs" 581 17 581 19] (10 : int32))); + _88 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB46 + } + BB46 { + _90 <- Borrow.borrow_mut l3; + l3 <- ^ _90; + _89 <- ([#"../src/lib.rs" 582 4 582 20] PushBack0.push_back _90 ([#"../src/lib.rs" 582 17 582 19] (10 : int32))); + _90 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB47 + } + BB47 { + _92 <- Borrow.borrow_mut l4; + l4 <- ^ _92; + _91 <- ([#"../src/lib.rs" 583 4 583 20] PushBack0.push_back _92 ([#"../src/lib.rs" 583 17 583 19] (10 : int32))); + _92 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB48 + } + BB48 { + _94 <- Borrow.borrow_mut l1; + l1 <- ^ _94; + _93 <- ([#"../src/lib.rs" 585 4 585 20] PushBack0.push_back _94 ([#"../src/lib.rs" 585 17 585 19] (11 : int32))); + _94 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB49 + } + BB49 { + _96 <- Borrow.borrow_mut l2; + l2 <- ^ _96; + _95 <- ([#"../src/lib.rs" 586 4 586 20] PushBack0.push_back _96 ([#"../src/lib.rs" 586 17 586 19] (11 : int32))); + _96 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB50 + } + BB50 { + _98 <- Borrow.borrow_mut l3; + l3 <- ^ _98; + _97 <- ([#"../src/lib.rs" 587 4 587 20] PushBack0.push_back _98 ([#"../src/lib.rs" 587 17 587 19] (11 : int32))); + _98 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB51 + } + BB51 { + _100 <- Borrow.borrow_mut l4; + l4 <- ^ _100; + _99 <- ([#"../src/lib.rs" 588 4 588 20] PushBack0.push_back _100 ([#"../src/lib.rs" 588 17 588 19] (11 : int32))); + _100 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB52 + } + BB52 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-12/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-12/why3session.xml new file mode 100644 index 0000000..7455ebd --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-12/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-12/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-12/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..3eecd733794c93afb1cdd3c3c0bdcf1cf93f7aad GIT binary patch literal 3544 zcmV;}4JYy+iwFP!00000|J_SKC_hooemBG^*1kE-hGs;{c6`Ir0I@oT;BkF)Rn;ke#y|2|W*`@i0u zey`Wt?-g0Z7OiM%vWhM4>WBK+pZx!dSE5pttaQ->pM38UiRd~0QS(4Z#=l}7sPXx) z^#jb7i@WM^w%Q$L&-MNZ=sdN%=jWGGANlf%ClN#?P=v>)f9#(7`epm$Q15|hAe}!i zBg3UMXnbdNto#o#`AkuBN`7Hv~gf?m)Tyz=4!;bcm2bI@D&&->HA zD#}{W-~(z|J6fA<}pq=?EIbuXh?iNbE> zV7C$pp_PJO`U9ASLQ60hGEj-wla8h&ZsyVEr%REGD#0rf@v6PH=tErA;_+Tyi7qo) zn06Q%zB6r34K7UW#6cN3b5KUEJ18T;K~2R);b2_U$MyEhra$er6&w30_W=H1>007l1iCLsWZFUJ5tok6jO{&@#J%YZ5$v>HAp#0e@XXRc8l zV9L3Cjzulxw3VSW2!~4k3PPB7flC70Y`AQ|Puf0zlavaKjHqxaA}^Vo!z! zXoMpGFi;^8^ka*=$KVSQNI!fi!A;Z&yEv^A4Dk`L;#h%!HUa^+^VC38vDQkv(XbAt>XWv@i%)W8z zy#D#2r7#sNa6$w0n|l(+`UCX0peUej-bkImRG=O;NwGWNk#EIrc4hqo{H~kb;jsJB zcRvBfjKZ9TT$)!JXv%uE-qxE+v5(^^@B^e2LsAse$m2_M?0|;y$EuGw0NJ1Tm;_Mb zELed#OMNX&OW@66Mpy^TM7(o8y=)PEFR%FcsZ`3>zV4!?(e;rd%EqoApfr`Vl_EjB zuyrXe9-$PNB$m+MC-3zJz202%dMzt0JWz)nX+HLP&2j043>CfJ zV;{?2ug_Cd@6+m<*DK`#@pD`U%-CyQk1NJr5BUMQM&b1eVVmFZ`iONlh!+8mU&L)5 zV9(=W#3p&k=>d!;P9FtR{8qWDM1`hqzg;gW(s51kR!LFEdS^_3^)g?{Z{&xglA#&0 zLw{-aDxjnM(M(c97`>btn#FK!!0J&--+7x7s`uXVbHYE$<7Ld8hdkc*T*~A1G$l_< zL(yQI$0LzTd3;**A=MhDd3>?bZ*#gZZAIrwR8of=ZdbIpQ&C%7q!=kKQjC`QZn#zX zTL5G@dS`Sc^oR6pW%iAX&#hB5uBzk<#eg zz)DlMKK^sJ-ku^Ayo=xE0))SEt06+(`%m#&qbDH|a`4A>OiCY5qiAE`v?}vjOo>5= zoyR4(C>V@OuhB@;V{U8AVj@RnY#CuQOY8^w_SI;RmtZdJBcQQUE^j3p=naRU>x`XDI2mv&nEM*3O&w?A{dF8-jO_h|C{atv(#d}+|L|9p*Cmb^#HDLU5s zeZTFlm$1eaEP7VLDq>>_r!h9B%8(oiRz-0uRHz0FqP)Z)_%vkcFA z(|}fp|EJ}M^a$Rl%16bLn#ba{QWdqUjNo0vG3TegvoC5Lhal zGc!+((Gf5`iZD7w7&eVCI@N|*A~Xs@(-rrrK%{YTC>&3e$5H}LL%H0SkW{KHE5A9r zD7GTgR%DU@)0WRZbl%5G9I0Bkw!#m7>yO`SljmWxc@~L0}U+B zGltDDo%;MFPAB=b4Qc4~vYdk-kOu_Fv7UuCI5Q{9-P1Gce% z4DRu30PFM+XT9G(0?Tl={S2si=Bre_E3IecBpEyipTm!Xu;HJ83SFn9)IpM^R6Fw>Ax(G9$ZWcD^ zg{-PP8Q*SS4u?p7xRtzme2aQ>?9<_dr>%L;}uA9~ht9bN_>Cj2i}f>Jdq z_RLR<`C}+=!pTcfR^}q4_|`nPJgmv`jY5b4Cs`$VdZ?0FXo(LS^5SVpUP%U`jEN-(Sm`)qXh-pC&z z2(>hRR|G(cOhcC>A<_VX37f*F09+MpG0rw&UuC)}iX1R;DDo%~e6ZjhdkWq`sqhE> z=g=(x+qj+b9;dqS@g{F|##^274uM!eI21YM6h0`ZDQ_|6EpGD`XS~H3?--MP$%<#* z{vn%BdDAg(TJk1mylLc3GH-guJAC0uu&^M0FUe0OSrV{?@U4k5haR6kH#a5WW-19k zJAEEbpWCn?eh~_6foEIb{ywFrlE|?n^0p-MOcHq}i443|SP&)gwji=3a8^uAC1GPp z*lkJJnIzMspN3}uu!FE5N&-m%r&$vJEeJZ11n$zMB=B+g7DxVi>Uw*3*Y*uzoz+ci zAbK@I@wTpYuUEYlyp`=tIPRFEj@+$`wO!NGrf(tFrix45c1@#HOE`s<`{L1IBFd=j%r7hqta2~D0ehaX&E6} z8QFHNf*g+5iilPkWxBT4Osbh6j$6l#zHv&JEj~1;e=xx z2-|)I`-i)e=v2=*p}<3F-WtPM!^mo;h?CYy6PfH>X@Vw%$-p?Q_Ly)KQf_>F-^N7eNR>$XRPgN zh&;4~y*0}8tC`kLE2pK?!fEa_bDBC$oU%?Cr?l6VQcg*ygx8Yd#W5;ShE-inI>|su z{Yo`j0taJT)0y7P40nb(Lp=#NMlb{7v~}8K5=^WpVSUs0ecdV{R4;|46wHb1n)PgE zq%-0siH<4OYTKyRHd=SG;ayuR>us>g64>E&u>E@4(3b literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13.mlcfg b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13.mlcfg new file mode 100644 index 0000000..90cf7e1 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13.mlcfg @@ -0,0 +1,5982 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"../../../../creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _45 : (); + var _46 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _47 : (); + var _48 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _49 : (); + var _50 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _51 : (); + var _52 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _53 : (); + var _54 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _55 : (); + var _56 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _57 : (); + var _58 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _59 : (); + var _60 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _61 : (); + var _62 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _63 : (); + var _64 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _65 : (); + var _66 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _67 : (); + var _68 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _69 : (); + var _70 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _71 : (); + var _72 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _73 : (); + var _74 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _75 : (); + var _76 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _77 : (); + var _78 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _79 : (); + var _80 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _81 : (); + var _82 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _83 : (); + var _84 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _85 : (); + var _86 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _87 : (); + var _88 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _89 : (); + var _90 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _91 : (); + var _92 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _93 : (); + var _94 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _95 : (); + var _96 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _97 : (); + var _98 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _99 : (); + var _100 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _101 : (); + var _102 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _103 : (); + var _104 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _105 : (); + var _106 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _107 : (); + var _108 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _46 <- Borrow.borrow_mut l1; + l1 <- ^ _46; + _45 <- ([#"../src/lib.rs" 555 4 555 19] PushBack0.push_back _46 ([#"../src/lib.rs" 555 17 555 18] (5 : int32))); + _46 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB25 + } + BB25 { + _48 <- Borrow.borrow_mut l2; + l2 <- ^ _48; + _47 <- ([#"../src/lib.rs" 556 4 556 19] PushBack0.push_back _48 ([#"../src/lib.rs" 556 17 556 18] (5 : int32))); + _48 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB26 + } + BB26 { + _50 <- Borrow.borrow_mut l3; + l3 <- ^ _50; + _49 <- ([#"../src/lib.rs" 557 4 557 19] PushBack0.push_back _50 ([#"../src/lib.rs" 557 17 557 18] (5 : int32))); + _50 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB27 + } + BB27 { + _52 <- Borrow.borrow_mut l4; + l4 <- ^ _52; + _51 <- ([#"../src/lib.rs" 558 4 558 19] PushBack0.push_back _52 ([#"../src/lib.rs" 558 17 558 18] (5 : int32))); + _52 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB28 + } + BB28 { + _54 <- Borrow.borrow_mut l1; + l1 <- ^ _54; + _53 <- ([#"../src/lib.rs" 560 4 560 19] PushBack0.push_back _54 ([#"../src/lib.rs" 560 17 560 18] (6 : int32))); + _54 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB29 + } + BB29 { + _56 <- Borrow.borrow_mut l2; + l2 <- ^ _56; + _55 <- ([#"../src/lib.rs" 561 4 561 19] PushBack0.push_back _56 ([#"../src/lib.rs" 561 17 561 18] (6 : int32))); + _56 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB30 + } + BB30 { + _58 <- Borrow.borrow_mut l3; + l3 <- ^ _58; + _57 <- ([#"../src/lib.rs" 562 4 562 19] PushBack0.push_back _58 ([#"../src/lib.rs" 562 17 562 18] (6 : int32))); + _58 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB31 + } + BB31 { + _60 <- Borrow.borrow_mut l4; + l4 <- ^ _60; + _59 <- ([#"../src/lib.rs" 563 4 563 19] PushBack0.push_back _60 ([#"../src/lib.rs" 563 17 563 18] (6 : int32))); + _60 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB32 + } + BB32 { + _62 <- Borrow.borrow_mut l1; + l1 <- ^ _62; + _61 <- ([#"../src/lib.rs" 565 4 565 19] PushBack0.push_back _62 ([#"../src/lib.rs" 565 17 565 18] (7 : int32))); + _62 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB33 + } + BB33 { + _64 <- Borrow.borrow_mut l2; + l2 <- ^ _64; + _63 <- ([#"../src/lib.rs" 566 4 566 19] PushBack0.push_back _64 ([#"../src/lib.rs" 566 17 566 18] (7 : int32))); + _64 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB34 + } + BB34 { + _66 <- Borrow.borrow_mut l3; + l3 <- ^ _66; + _65 <- ([#"../src/lib.rs" 567 4 567 19] PushBack0.push_back _66 ([#"../src/lib.rs" 567 17 567 18] (7 : int32))); + _66 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB35 + } + BB35 { + _68 <- Borrow.borrow_mut l4; + l4 <- ^ _68; + _67 <- ([#"../src/lib.rs" 568 4 568 19] PushBack0.push_back _68 ([#"../src/lib.rs" 568 17 568 18] (7 : int32))); + _68 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB36 + } + BB36 { + _70 <- Borrow.borrow_mut l1; + l1 <- ^ _70; + _69 <- ([#"../src/lib.rs" 570 4 570 19] PushBack0.push_back _70 ([#"../src/lib.rs" 570 17 570 18] (8 : int32))); + _70 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB37 + } + BB37 { + _72 <- Borrow.borrow_mut l2; + l2 <- ^ _72; + _71 <- ([#"../src/lib.rs" 571 4 571 19] PushBack0.push_back _72 ([#"../src/lib.rs" 571 17 571 18] (8 : int32))); + _72 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB38 + } + BB38 { + _74 <- Borrow.borrow_mut l3; + l3 <- ^ _74; + _73 <- ([#"../src/lib.rs" 572 4 572 19] PushBack0.push_back _74 ([#"../src/lib.rs" 572 17 572 18] (8 : int32))); + _74 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB39 + } + BB39 { + _76 <- Borrow.borrow_mut l4; + l4 <- ^ _76; + _75 <- ([#"../src/lib.rs" 573 4 573 19] PushBack0.push_back _76 ([#"../src/lib.rs" 573 17 573 18] (8 : int32))); + _76 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB40 + } + BB40 { + _78 <- Borrow.borrow_mut l1; + l1 <- ^ _78; + _77 <- ([#"../src/lib.rs" 575 4 575 19] PushBack0.push_back _78 ([#"../src/lib.rs" 575 17 575 18] (9 : int32))); + _78 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB41 + } + BB41 { + _80 <- Borrow.borrow_mut l2; + l2 <- ^ _80; + _79 <- ([#"../src/lib.rs" 576 4 576 19] PushBack0.push_back _80 ([#"../src/lib.rs" 576 17 576 18] (9 : int32))); + _80 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB42 + } + BB42 { + _82 <- Borrow.borrow_mut l3; + l3 <- ^ _82; + _81 <- ([#"../src/lib.rs" 577 4 577 19] PushBack0.push_back _82 ([#"../src/lib.rs" 577 17 577 18] (9 : int32))); + _82 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB43 + } + BB43 { + _84 <- Borrow.borrow_mut l4; + l4 <- ^ _84; + _83 <- ([#"../src/lib.rs" 578 4 578 19] PushBack0.push_back _84 ([#"../src/lib.rs" 578 17 578 18] (9 : int32))); + _84 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB44 + } + BB44 { + _86 <- Borrow.borrow_mut l1; + l1 <- ^ _86; + _85 <- ([#"../src/lib.rs" 580 4 580 20] PushBack0.push_back _86 ([#"../src/lib.rs" 580 17 580 19] (10 : int32))); + _86 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB45 + } + BB45 { + _88 <- Borrow.borrow_mut l2; + l2 <- ^ _88; + _87 <- ([#"../src/lib.rs" 581 4 581 20] PushBack0.push_back _88 ([#"../src/lib.rs" 581 17 581 19] (10 : int32))); + _88 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB46 + } + BB46 { + _90 <- Borrow.borrow_mut l3; + l3 <- ^ _90; + _89 <- ([#"../src/lib.rs" 582 4 582 20] PushBack0.push_back _90 ([#"../src/lib.rs" 582 17 582 19] (10 : int32))); + _90 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB47 + } + BB47 { + _92 <- Borrow.borrow_mut l4; + l4 <- ^ _92; + _91 <- ([#"../src/lib.rs" 583 4 583 20] PushBack0.push_back _92 ([#"../src/lib.rs" 583 17 583 19] (10 : int32))); + _92 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB48 + } + BB48 { + _94 <- Borrow.borrow_mut l1; + l1 <- ^ _94; + _93 <- ([#"../src/lib.rs" 585 4 585 20] PushBack0.push_back _94 ([#"../src/lib.rs" 585 17 585 19] (11 : int32))); + _94 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB49 + } + BB49 { + _96 <- Borrow.borrow_mut l2; + l2 <- ^ _96; + _95 <- ([#"../src/lib.rs" 586 4 586 20] PushBack0.push_back _96 ([#"../src/lib.rs" 586 17 586 19] (11 : int32))); + _96 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB50 + } + BB50 { + _98 <- Borrow.borrow_mut l3; + l3 <- ^ _98; + _97 <- ([#"../src/lib.rs" 587 4 587 20] PushBack0.push_back _98 ([#"../src/lib.rs" 587 17 587 19] (11 : int32))); + _98 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB51 + } + BB51 { + _100 <- Borrow.borrow_mut l4; + l4 <- ^ _100; + _99 <- ([#"../src/lib.rs" 588 4 588 20] PushBack0.push_back _100 ([#"../src/lib.rs" 588 17 588 19] (11 : int32))); + _100 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB52 + } + BB52 { + _102 <- Borrow.borrow_mut l1; + l1 <- ^ _102; + _101 <- ([#"../src/lib.rs" 590 4 590 20] PushBack0.push_back _102 ([#"../src/lib.rs" 590 17 590 19] (12 : int32))); + _102 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB53 + } + BB53 { + _104 <- Borrow.borrow_mut l2; + l2 <- ^ _104; + _103 <- ([#"../src/lib.rs" 591 4 591 20] PushBack0.push_back _104 ([#"../src/lib.rs" 591 17 591 19] (12 : int32))); + _104 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB54 + } + BB54 { + _106 <- Borrow.borrow_mut l3; + l3 <- ^ _106; + _105 <- ([#"../src/lib.rs" 592 4 592 20] PushBack0.push_back _106 ([#"../src/lib.rs" 592 17 592 19] (12 : int32))); + _106 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB55 + } + BB55 { + _108 <- Borrow.borrow_mut l4; + l4 <- ^ _108; + _107 <- ([#"../src/lib.rs" 593 4 593 20] PushBack0.push_back _108 ([#"../src/lib.rs" 593 17 593 19] (12 : int32))); + _108 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB56 + } + BB56 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3session.xml new file mode 100644 index 0000000..7501fee --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3session.xml.bak b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3session.xml.bak new file mode 100644 index 0000000..b04d328 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3session.xml.bak @@ -0,0 +1,527 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..ddb8b474f08ddf3cb69710ab1e32b6402142b01a GIT binary patch literal 3541 zcmV;`4Jz^wf`~6|P+x~r~X19O6 zIsV?Rx8EDGNG;mX+++<~+_ZP?!5_o_4R1uF8rkTo2fjk@0}|15{H5lRkW9bDJW}KH zU)wvFEf+V<{cN?{&z{=nN1*fA?Vg@qjz00_4bLKoMxY4ykN?;``SxY|W8Xdl(@45} zKO}|^fq{hCzwWjk7e0M!zpwodkUL7n(&s~Dq!u@@r0sUwBXk^EP|;?y`|;0xN z?e=A}dED&2tUK8CZ~GVj5T!DUIdHP0@dqH(_WeG6+v;O9Zvle+a@SDWk+5V7tRA2D z{(HOG?Y_M{k7Z~#>+Lt+Z`Oz7<8k-RZyQQLgx>#=C|Bdp$Nd3@fpQz@J?>WVYhJTE zzt#VeP1MNGp}FzfFUPO2X6yH7W)~UC+5cEYPN&BUb~id+mX4R<@v?Kr3no(^FMlX@ zbme$ueJr9rUWv!6M&py?RTqv|EC%<{i(=7cuxOi`67+($5R{h=2q#mDn}gogKRqA+ z)lk-f2Jdilr7LXfa7^03-SaXA>mvgjmc{K-8;5CB?ta~Fk3T^#Yz%%j)GVM?CYv(( zv=3Jp;QR^C`4gOTLqTlOP++MSIIbJ27D=B}1u@3jrz%owe|ve}coG-Ek>nlH*dr?C zj;8W61KGBK$f;QYvPD2D9TBxCniV}~R@oAhS+R6J?5bJS5;wdyD}iP;GCMvoD|x}J z_+qdcm78j?FgjS69xRNZg=HJ01=$UnNNmH&^SJ5un}0m4|LuD`Ns*K_>V8OOB`Uj> zgWXCbgjNcA@p~`}g_dA2WS|nUCm&5s+{}~BPnRMWRfAU|5>$I>(TB9G!{a@_5?yAp zFz+xnLTBEb8eEv#iGwn7;-HLNc2Gv5gPMkm%E7p359{rhjX&Jwh|di(Nm-MT zTNr^g4O8>WZjoo9>K7?9U@<6b7>X`}T!IwLViPw7>llJcpaFAv>{Y1Q-h-wZCK@JV zx4Zxt>=KeN&>qW3#n>rQF*ZdibQ?ws-V}YFqK-)Ek0>1xbp)c0D5#U2TMo{x29MT* z=bFKBZDo-|0!J!Gr!)qGv3G+p^CZ-$JH=VVgY4a6@NO}}#sKxQMn@|D-(Y~|h91Mf z74QeIuTUF8Zh?Qwg4>4x!033+Bm}_l`4|AGGbncNpLXE045;!!tMM}q1)O70Cji7jWC$tmXp*-Jp~$| z5sv`CK*dBbj4f{Nqc0>N{qUg%H_>M7;P zeC~mNoF{a~Y`$-gfV~J)qmK3qY(0vBc{1Yj{4J9n?&H5UXU(t=4dGvh>|5)r**8v| zw?E%?6sCd&PH2FBOHbz5et`ZC6b01H8>thR3e=M(DRxIZ3a!-5F08+UpY3wD-|v3- z{wKhgQJB+^OY=qpP1&y2+ji3^_HjG~{sAe)kQBu<^6;`e_}^drw(}QdSHS~b*&pyK z@`Ds)o{%-PQn#qCakn@CQjp1p&{&jilxdX8`;Z?8GYY&U-aOQ4ton!pko}2|SpX$Y zf)$vv)R)4v1l}BG#C5<-q&w&1%NEi1{ECmCYNdSjZJ#uau8$m1Hg@>{rD>#X6p7-+ ztxIwC2&KRzSvOLBjABZ4ay`X)I6RRoN95<-^W$m{xOQ`&07B3V5EUj2SRvjB5JKf- zUd?kO_`WFVh>(rojSypi!1N86RIV--54A4}(g=O(iyV7@hM%w5sUXP@#l*`4fr(dl9__Vs@^-2Xm{G8SSGxnO-A0qNt)!?^y)&i1`k`FOujGfLlA#&0 z!*FR2DxjnM(M(c97(JgFn#FK!!0J&>-+7l4s`uXVOTs_O<7LX6hde&?oXg|&G$qeV zW6@xo$0Lz*d3;{L5Jf1J4Sc^oRRE&~7AX&#>B5l5!k<;kX zz)DlUKKygH-X0Sbyo=wI0z|lSt06+(hOcz3(UXt}Ir#lLC8hVrQM55|T8()vrlcUm zPU8|>6b#0t*J$MFDYrFdF_EJ&wvMocCH4b-`)V{OOE4D>5zyEvm$#CbE_)a6yDHSY z>75|*xPpmAeGnAiOFJ)pBmE-&+n+gJ7k|*tdo=leIR-X=zBK6Bf4;^WOWvd9939)| zXTR+)m$1eaEP7JHs$ydfrztk(%8(oiR#kB;R;UIHqP)f+_!_eG6t4yx3Pr1&n$sMD zX+$f;|Kr1m^a$RlDo-O*vbivsMpW(@o=rw8ZewMtyrZPBGJZU{w2iO?zh#cS8byfD zD5LZWcMuaP8q1&*Ls=}2Qi=Lnlq!9eolk}3rF8lHa`>8aqUjOT0$1m8dIZPe5Lhmp zGc(VP(Gf5`iZD7y7&eVCI@g9-CNv5{(-pV5K%{YTEF4di$8rKrW4Sz(kW{WLtFSq{ zsJ0^WR%Dg{)0WR6bl#>)<>zp+w8Ub3kwzqG7)=%GRND^pc=$mV0}U+B zGltDLore4*O(*5G4Q7670ZbgzsCaOT|KRu zxLS0CkYqj_0pGwDCzpP#Xv^vau_M(nrn+_!Le-!_i_2wUHTK+LcAQ)(F8$?|H*VgM zT5ekJaSejk_*ft{eq}(t^0y9bd@`>KY4Nvur*n+9kG6uR{sLH5N z=1zqfEMwqEtjORkK2*Ws#&}j|9CU^y4bIQfuTs&F$8eSra>9urCwx*UbrEJhT`g?T zGg(!AGNIkQ?DvWMa4UKB_!jNv;Pc_cr#}CS+v|LWBxvwuZ&T8juLgNPr!7%U`jEMlh@ihir8CyOBR) z5b9_ubOA0+(+uc|0SSOd(HuS%OqF6W$u`M2-6TWw%pB^RGscgaH#y-=BJY5nwxoT4 z>5@)(OEcmv%~jsgOnIlCinokeg#-YVC2f!)UYaTIaheUES9z-w-s*&ROaf%cOontf zWEgVFdwhG4yyiWv?9*iFd4!gpnm3QUMO={bjF57$A_>@nU{guPr!UEMNyv#LC#Nst z=}Q_HBuT&)M6m@C{+`E9BoU*WJA7V~MChp`LQf?TI_5|wE=Yf?6>LEjNkZDBrjm%U zB;vXx;zSa0B1y{DWL%IW38hV5Bnf};z^9VXu_V=F(D3J}>+Q`==a+=_RxdjP(Q7Fb z@7h*-z4BJ@PIfclxMPkwaoAmecyK75-iSe!>E`s<`{L1IBFd=j%r7hqta2~D0ehc=@=ne8QJxn zf*g*wiil1cW%|x*Ce=(3$F1YWaqYNrTsjV-bH|zE)N$gNb<8-X9aD~haKbSTgsoq} z{^9N6nH4jJ7YLoGP0T};-q!bIH{e4ZAmAEliW$>Bz2NFVVy8eXeX2t(h1=N zcY--Viw=x5M6o3|o=C1&dL??QdM3fxxnKoTg3_r>s-PDIIjBlvC0v5wxUub&Lv>VO8IfUNTUUU#X>* zz`@wg^v0W+;m$B;XdnT{2xdT>woaQuf{7I+%rCw7ZKs4#UJ6Som=o76^K53MGvX?V zo+;L8yHuTBYTe5v@4HsnV1vuvEZdpU&Zw&-ma^BR^((WIVo5ELY)ScwtTd-B;k}+w z0!D0|h1J?w<*am8ILn=7!H6t%mISf}h!132W(6fZ>5X94OTSuiuRuH@z^FRg0a=(x PXqx^XV00mmvMvAsD3993 literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3shapes.gz.bak b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-13/why3shapes.gz.bak new file mode 100644 index 0000000000000000000000000000000000000000..d069e0aeec3f47a1cee8c04b083c49ab091fdb74 GIT binary patch literal 9954 zcmYkfWl$Vk)3pl(ch>|N+@0XTgS$Hf3GVLhHpmR_?(Xicg9axM+%?FT`+4hBo&9rF zcdxp7RsYyzF^EwAdmrb1dbOXw0uMX=!?r9|;-JUct{Q$~kQ4eT!w}y#gxs#e)Nbld z0;PbRK94I7Y{}`VAfQ<@wH^U6OLo;16(!-dBpYCC>V<4u$oH-Fs-esO>G9^|evx4I zV@3S-s`KM{XF4FFboRr)_TnX}XJwM&*WhNzm7k}4PW=il~|p<+%E@ib904!Zq9~{a%qU}1G-<@1#{Y+JrY8J z+XewlU&6AC?l1js%{{iW*&fKYw{5c3ZEp0Xg}k0CUWEjGuJ=ZBjV`JKcH zjC#Fp4u=zdKX+>mh_QT}2|3jC`re*2>!;<2pI(l~@CW!bQG585eE`yR00FiUvlF+y zJbhoVsbwEn#}NGb1YBe063A{O-8~18yChHQ{MKwro6Tzn@OqcR%~uTknS6 ztekiAco^iYbMZVZtXNzyzpl)(=HhXG#ZG0ST)HJ%NA&Pu z+-j>cmgDCeloi}KOI*fjTv@=Wx?|R6mOiTst|9ZJt!nway^pWS)o+a;AlMhZ4a3;g zSunyBaTv|!CkgHbpwfgg6E0O+df-SL{+Jh>2|@psMq8Wv-V3BvP$gKtxZ6i(T;EBn zZTnqbh*S&!-N+i7&``BmO@Kprvvt%P&wmM>fWPr%mw~HqPqMk@d#dNjyc@a7AKfR% z&Ct<6SThLc2OPXE+$QH3@W>}-d3js*d3hF}+#aP#K8YjO<_dqDHvUWT)@OBto(Ey+ zVpZqM$#FnXQEnAXJ<*(y*kAku2UTZrP}0+pyVQr5INUIzVd@HN&Re(q=(f_E0*yPE z;@uge2IbW8w?I3Kl*r{JpFFhl^TTIy!y|@Ot>2{t zrj6v?dm0tDE5rL!fVHh>SL_I=m+ilz3wq^K(_dBBTF!xi)NR3T$X4Qo_b5DSzYfui zX&Uc0p>36B{R<7wF7P$J{jtxzri)Hf`-i|GWT5ei-sII;>RtS7%PacO#gnqf!&$8pXSbH)Efm5=D=uZbxu3mud%nz_yj9 z$%065!j^}`G_pnF;V{L4{=SGO6^E~s9>F)O5s<+mefK>;mypdhqY8G$cAH0`aZalJ zhdu33*-@5~zrV28_6GC&-BGpjyQbI$Fh@S1fcF~SL5sZ8=iyOm`fOUWXQWX1pb+i=J`5 zNF0y3jkASw{$&Wa2PrA8d~tKXni<$Z>(e5cHS@0W?nkC5<0eoPlG>W%pv|XfS$y=U z`_z1dpHz*n*w~1VLVN#H$orK=&jBQf{(W&ZylJ|9i}EW-;FDy*nx2R#*q7zQRL>#a zHRoxIdl{c%+by88-n&(|TR`{i_Gb3$^vR~#{Y4r?ucvkC^SvM-#;3BCm%AG)Ur}@0 zm#j+DVV1(W(dw3`@@om-Q16|)80wbgy;@8+M9!BjePrZh`k>|di{`dpcJA6KI)=lG zUDl@IZN%o+Yvw`%OINm+8F0TxYGsQdMflzRhFr9_k(#fT%>0A5B}TycJ~ws1ci%Qf zq7EC^Rp0{+Om_^~CIweYWvjTjhlc`5$;mu+&ktRg3XJKSmB0XkQI~|QS|?ut7smM3 z(L`S>egd=yr`M(NYF>YtpoLS2W)!fObO&W zo~`W03jE5q*HcpT;X$VtCd5wPDCI6`KRpK{cC=f6;P;ag`^_K8s^DOqOsqL zxZhQ#KpLC35ST&X`S|qXcJKK1Yd46VAfOJPTzA5*hV#JVTu;g7%tSVY@HL`Ti0*B7 z+P=l9pxWoLhp$*k%rOTN!RM%z^Gw#6pY`qU;|#n_GCjUM zXWs31hTf)_AB`9VZ*LYA&yuIGoN*pcLmIvu^!`7$7Zjjb84ADN?_H69lVnQm4GtLLiVGp#A-!w%a9 zo9j*eblnw|m!<|IL9Y!q-Q;5dR+rjrZ7@j1eHX$N%$K;}LZq&wwx<6XA~=3(U%kNE zwV$M;F9%``@PBKirs1zJp1hJGv&8FaXMj!{;A{In*{=v^?7Z4=Gde;PHcDy0D{oHpyJK*rv@!^*7s(Kb2CpURN(>F~MWsZocaUL<@BnGf~( z!)atwRTA!pj)#fRHGZ`2j9&v)*)zW1Bu6(>4og0+bGYs0ttVTz;;+ludhQb{<+6L3 z(eJZhja#akhFR|lhc zY?vc&v8aI+T$#&$;U|(PzQsOTKxZy4Mm_JDR@Qy~Q*2*_5BJwl1poGFc1?#B#i?iQ z97D``*-mXG*{a0ukf!I#w0H|p%lo|kP)}NJpHXFoV?uWiJK1>kD94DIcQwNg-SkcZixQ3z zSM!=Nc^%)%V7U=bH48e9Oj+W{uYb2g3z*|YwFM7?u;o)qsKc6BU@m4anQZ@%s6aG1 z&w1ZoPc$yyGg7;>{5*EoP8;Yf4ZU^XP}&e%YOCZIwKKhQ9^BP9p5B7qr)B3<<4!C| zyW4&42KBdar#bByT{erG3csJKxY%?V6q0wm$h2AN<5zf^XOxDa^^`N?7c88smQZ@M zE@CMpC+hn%5|0&oF%)M0q}<92D$@`l;QIAtj?E3=;To|i6>}*%DAccxV?Y1LZF}t7 zk<8EfF3Xqxh5)JfBl8`EMgeX>{OMneul84{UtTEs+ z{$NvV{){H9TW8GdKIVJB6?3CKCbS%#PQk;^!Dxs-> zEV_Xpz#07jbMz7}-ziRslq*1nar~L?7{{DnxkTvqG*5C7!9>ZiqvmhS#0&i-&G4yR9PahjFCIA0Ny~v z2XYv<7&8~V#yDv+2ywPDEMxSG3V#q1x^b`&*cgRIn@;V&p7a|e`MTg^$Lj5F%J%PA zbIib!V`t4{`I}IHwhAmQZa=hS-FGao9+koWst=GP>k1GR>4HB+8z%r9ze>x30UcQy zvej5Q%Ax-`3{aX21|mHg4={rr^M6?+r*llDC>amn$$N@nkt&D!;8Oeo$S8msWi5fU zxVzB+!F)svx&fi+7QL++Duw^gqpbi@iEiLiv||E*t5v$AWKySCkefdrQ49CJ(3SKI zTD}bd$G*Qwey1pd#WGbfoer$E3~VI+hZ$jqN1v+&>c3{{3` zaj&5zyS`%${*whc8fDLy{`{veB`l18yMmVQLcnq8H^ZM`7R;a@{FgP2VgHaN5CQj^ zRMPez!R|kU{|K(50mAu_7<79=(W{%}R=S>C$wg5`eEDNlbR0)#yMchl?@22E7_P=< z7~IqfaiXW93;a{gqHdt&Eih;r;gSvLTCaYVpmP4k0Z$>*xH!uk{;wxrk4o>~tfBM+ zJ|jI9GetU%(Yv$6-1PsGi_-r^Z6TTT&*!tU*#jNNKjw`A%CD76tx^x6fX;t=D#kJQ zflA&C8Mp60`2SIK29M|H1BLR&E>z5R@yGE=r>UH1yu^|WRLqp<8W3>Tgrb=?0c!(= z=~UBH{}jgPGbG7}KtSjBB<}xVJo1NR=w=(6X%XHR9w-%I{A}>yT4T<5RW$ zOAM%&bf75hj6l^c1pK^NU`6BS-aUhtg_HIxy4XKu27>3&m$LC=;(Xzw+5Lbf)g3ak zGz(W`19z-1#=o41E=lDPW35Lrs)%P<@eWJZ3p0^Ba)J?f<0Inbmdqe;eSVT%oggL{{#jHd)4d;+3u>P@*L&gTI$a@75}GS+N(gUE12#VRBJcON$@5V zqHd((Zq$neHR&OCdu+##^5?oaXA#Fz*{WYqQcsl2)dd{;Wm9RobIJ`FQ%(*_O4NL; zBTkA6HkPJ}W;vT}G*q)EfhXD^^@xEYj@I&anK(=9m0+`PDN=7%Ja+K{*auTx?r1mj zld_#jdg&MFBx)@gIX(7k{B}y|pp4cgNK{LPRcn}L?*-=d%{;<-=aTWu3(NXheAC}_ zG`pOyeH^T zTAijoSZNJ*>C>!dliV>Q*?GWJWg+4t#%G;1&z@{%mEq9Rp5IpaExUxwL>UKZGAaAq zt&s8NZ$4x_+#6&i3OS2Cj3KRg34~>m+>LgS;7?7+Y?zqDXU*l{cz>mJ-3wLBx{LcF z`1Ma#lfhh@^FmJC5GAem?D%1O(rG4Bj&Q&gd1@KC4@vT15ham4#j2^zb!gP0c*hPL z%S!>N`jKC}82!I)9mO9pEO3o)zr1$B_>GOr>ZQ5J9?(%hXxE(D zz(b_n7f;$0@N>uXu9m8x(1l$?Bf5eJS{0o|BHPS%zD<=(*Qfr_^x5>-^xAaS^nSP^ z=9*xiWrRnE$c5dPeW}RIu~3R~;EDzzl}JLmIOC@d9dE9_`>>F!r<0>ohZ}`8E@4^B zJ;CWROJIfk6m^=a7>7g&n^!fQ;?GaGo`0V9{$v}Nu_aa|&^-UNJB;Lm+b4nl;m$7T z`mi@8&>5LUjl&AjC@JeUjU=wDz;{yypNk{uuxuH1HMI~pu;j4ju#mEn5=VCRctSed z7M`0opbQIsS2a*xg~?TG$JTwP%9AxjMarDP{{fQ;?cyfYG-#Nb2U8r#4OiT(W*932 zKUbBPF4`DkfjB)dG}MGGr(((=Yb!bKCwrmhoD2M$@~hO9c7Iq(E!33h4|dhpSScz? z?4pT+3B?hASXFrShJ0k$aqzg(qi1|dg5NWCy=9voe&uiA=d6s}i_5AuB)YbxyeTFwDiXItv#It$ zM8jG)%D%vHRcdU*v9To@7e!Dk*C zN6OWsakW`Gxe6XS_NkWw2a+-!Hae9}404ys&Sig2d}5qZdvHsrCIXa+RzYLcT*~TN zGNK4CfqRjjZPofVSRwt?44)R1$|GgU&p@rStMpf*Kj_?cz_PERCdn7r6t7aiifU)= zY76+QoD7z;#QTQhPR+wT4V*8D&YGt`L`CnSqz&S7b1!B@LZzloQbNf*_OKuUYIiV~ zTOif?Qt%A4s?vxw&l5q`9&#y8&oKK>sr-=(lUKWFqFCdu3~^-@o1n*z#(I*OkR)Hp z*~OwI52>OYD&Y#1y;6NpY0AUQo^Fz)fCkd>Z|P{_uToSC@MdC4Qo(Lf+y}MaXNNO~ z3#EZ~&lqsbA#|d_QcOBWs??Sv(tEwsDt&}CfiHmYA6-wg1q#x8;VJT|x()TJS-w=l zcS49MDLQ+Y&(a{^oHbAGb6rYtRhK*Fy1=`jWpP%^c+`=(iaJI$wfM(PxWz$}93Q0| ztOb*78VMDEY8(Mc)B)CABh#gXNd^oGpl-jX!7@*`bIt|mvG++6NOiE;m0g9Q zsU4D^4%OSBaxlZmxND@zXo%U=L_6n#V&9O%qjghbk+QiQeiKEY_D5hlGg=*+mt8Ot z)ubM;9fApoe%H2+Knk)X$gxj}HWw)wr>nT?7P?a};ywlT?84_%ghsxU=GsKke>x6TybU77` zNraS~9k}~c1(D4!Ozh1j5QA!veYflBI)f`t>f6W=Zeg1A5XwGSjR!kXTK`boda^Lj z7NbiDRYfRqXrcV9UO~B>*%O~&ecin(tZm(J_l|dnJHodIEIt36MXBq~piTP|$LC-| z^f7WpPRp?4=3Kku=B_#hjY1BYZbm;CO18gUH@SW*2==>#U-Q6UijLb@aLOu`b~SJ) z+0Y89Nv7ef1z|vKH!cYMdh^Nwi!bB>m}U-vxiS5rPN+av4S%pJ(gL+K2pei*6t%ubuL=;1n6FN5N$oYu z(bSjZ@)xY$p?!~e9-$<|@cRUhB)!M3Ouz9?2``YnW95(LsocOVoIk@i71#cNiA3DE zB|Q(qpkSmQ!Tei$yHSE%;zmw$y_n<79PP)pt}sa#vuYLjz7I-8%4!jnBUeS%tK$c@ z^3<7!OFW+#hd+G_dZL!PRvC(g1E^|-wVgK?rUX)WpNtVCwT$+xyBMAK*FGGqC=Y&D z7r%yE^N~uEo(Da=Dz!j5Y?;)eZugLzjxNI)gxwy-lj_JbQg8%fTTbRk`KTD7eHAhz zEz9;>l@aoXzQJ4L30I9JrXtP|j~QZD{(=MnOl@ZiqUpkzMTC}aqCk8$!Pct7%ChWu zIK*16K`B(X%=MM#WrrSXC^EnnI2=hKUDQ&rvI0_c{}|yz_kNYKuZ3 zdV0EOtwqm@zd05c;5pd_q# z+0^*`nYK7Ig1j+F6|?Z3l>P;{A>Pn^BFnpUuTwUe0!C>f2>;2XGrT7{YAPQVDuHTX z08lg`Df`k&5I3j1aoL%_e3ZrQrIFlt7SkXpS?baPutE1D%6V1Zv@GS9JuhbBP9wJ< zz*V210T*b?*J&e?An+|cK9|p0V5EG8s3N8J!%c_=j|Bt0gR)yqpkqAE3CRbch~UTA z!im4pa%(!J^=}N-^V_5X%eHATJ&0|6CdHM~(<2zZ`Dm1g45t81Yq0yZmC#L7*Vtrr zne$Qgznmx^5#%X~w{&wbiSsOwQ$LUEPeV-(pqn zE;pr;#^R7*U1XFj1w{W~87@)xmK<$Li1hNFwNT?mPBUDu=?3Dow|r2Vx=Ly! zn<45nZ9!}!DtbLND76smbS65cE?44jM)@xaVOEnJ_O&xr*e!)DNah&{;Z5Uy z2+ep&>+sN6<#yX%eLI!GK~($vmbiya7~I5BzvX;Hzm@FyY6!7-F@(0BT*T8E)C?NX_P1YM7&MPwHmr=h_3PPAFYu4r!Nyo z1x77b=E+1d>)R&@jZm^ZG>V5NV{CqmBf%=)m2Xaa-^l}QNXnC&!mQ+(BFOj9gCkpw zF%ATOOt8~^r>?)zpF2TZ_1KjECd-p|V<%pGPS6_PMa3kch{PLf_ia`=7{oQgL<)zX z53j%efNf4ul&C#~(eg%PUOz9>1fv6Q=smm`!z*cv-7)rkh}o2+?m5jQc@8&$Tl04z zLZ+)I0kc(Yp?kXb$o^a4OyCSOzamL#0lDN*E?8uoNs|8QAk@C7EBti;&$`*lGtH*cTmUPpr3eS0}(~SAkKr=fX+9v2y=u)G)7ya_}Jwbe; z%Dsd3pCvoM%J7s-#t}M$0@tVoYFSX(R3Ib}(rKIuBw&Rc3Id_J-nO{aG&EZ8zCEp) z6eBdjHwm|eAAEXwKoznm%hE25<}XBn);aRdhC=9q?-KSUamQO1WmArh;mIIeSLz@( zl9b&Vew*s{O(gBIZt_L9`!4O$3?*XcJI%ginFS!t!;J` zqom1Ul%0(vEE2bZ(7i$LCQ~X1AAfk|^?hRl)?PUKD~3MhCx#vuV)O z4aZgileClRbk5-b{L-=qb*!&gsAcG7?^~p)8yLHIWO8v*dD_iR`QfM?gr_bS%EQnr z&?~c0HTiEdOtfQs8M=%a2di=-JC&`0+-_~iS)q1C?o5t2EeN&;n(3{Ykv#1?lF3wOU%7i_0K6aE~gB^Xhzs02rfowYhJAd2z zSLi_M&H#}~ia(J&<{;nYU;Z^c59+aSh8(CVCXo(l3B+uqZ11tgRUwltROl`I1TMA? zZ=y%oQnC|Iq#|q>bQp92hsyBDCA4K~cW1uSJjj|+RK<(<2G=WrrhQ(0&y5i-vg5$! zd`yBNCdGEbBUA*dz4ng|0^*o(4EOdQw;-`~>`%D}4Z@#*5zg%R{Gad}-#S%|Wt;S<4=WHH=J zx~;yUi3OY(hi!^UAu5Ua>ZgZK4@PWf>`JrMddP5M3p%S4!)YnfIHB)#z+&h(=(k$b z7c4(2Q1Y}6e9iARyVJ&`X!nUyUo=PfSA^GI{wHzGb1!^=(HP8#rfI3RVEtj1e!y)$ zp7fdp3=I87&n;Vs3A|Af(UWTT$WmH5tgG?HhK8&gAoM|(^MvG67I6ui{I1Q{FkSXY zYp_Nic4`6(;iZl(rEcUsF(#S|;o%h|GlYD7m~f7dEN&VL?8mJL#_`EpG6L_wngZ}~ z>+>SvvPmu2r}h|mP%JqcMde#y@gJCpn4g2S=!d7~9$Pw1hzGfPxEJT@rLKOi>uvcl zH#=ATVRjs&#&q~pWDLGjF(~DwL0eD+qcgY$o^<305AW$_M$L zu_c?(Y$vAY9pDE-$}-GyBB`;<9(>j?8(c;nsrfJl)x*nu_e)Hzui1-J7$;m!yW`5} z1mqPhIciG(oR9X0x1+i|A5IUG#Lu(0f>?s;*_&_-u{yz3H$rZYFtk`CFaI4zJz67? z#qD_pnkYLQHi}mLx(K}nNEwvz>8b2R&1wr{k*I`I-tuEfFJ-l=q7OP+jy*&q-9=rN zHdBs06Uq)e%a&^*9Pv70e(plE3>TxdY*xc_ME*;fD&qDK7g$22Ad>;)qQ=^1D>RWB zj9sRdi-uFT#)*d}Q8&Fw(SVMxS)SO8^#m`l6`ROj@)RfXHGd7vFA^5L!Wn8Rc%bGb z;$7p;BRS-nvH~yu%@uW8ZlN8+qd%2g4qF9dhlC*q9e(*lWdL-QSt$NRL&iB}4Ti8) zwi0w`m^bv(SJD?@A~mq;!=$epP7!zL9GmD4HicXHY0Cgi3RLUESN-)l@uHxHE5rr{ z)^6O!-M}kswI+sSuj&>|k~fS*<(wHQ#5>Z7P;p3Tc;wFr zGPN~$HZ)%bjZ%pb)^0x^O5ZoPqi_!17bqi;RO5FLVl^ykBz^}m2&q#dr!q06c_JhB|+uv*s z4-+NyX3FT`OSwYzqZ?@I!&fl13Wv-u4jiB5ul7Nwt3p-#T*51VootVeLP2NX=4x0n6evF&>9qWrkB;Gl bI0fD1^C9olHBRRK2Lj*+ekordG}QkC%>hZ| literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-14.mlcfg b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-14.mlcfg new file mode 100644 index 0000000..b60b823 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-14.mlcfg @@ -0,0 +1,6018 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"../../../../creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _45 : (); + var _46 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _47 : (); + var _48 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _49 : (); + var _50 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _51 : (); + var _52 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _53 : (); + var _54 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _55 : (); + var _56 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _57 : (); + var _58 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _59 : (); + var _60 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _61 : (); + var _62 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _63 : (); + var _64 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _65 : (); + var _66 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _67 : (); + var _68 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _69 : (); + var _70 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _71 : (); + var _72 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _73 : (); + var _74 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _75 : (); + var _76 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _77 : (); + var _78 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _79 : (); + var _80 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _81 : (); + var _82 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _83 : (); + var _84 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _85 : (); + var _86 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _87 : (); + var _88 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _89 : (); + var _90 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _91 : (); + var _92 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _93 : (); + var _94 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _95 : (); + var _96 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _97 : (); + var _98 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _99 : (); + var _100 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _101 : (); + var _102 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _103 : (); + var _104 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _105 : (); + var _106 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _107 : (); + var _108 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _109 : (); + var _110 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _111 : (); + var _112 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _113 : (); + var _114 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _115 : (); + var _116 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _46 <- Borrow.borrow_mut l1; + l1 <- ^ _46; + _45 <- ([#"../src/lib.rs" 555 4 555 19] PushBack0.push_back _46 ([#"../src/lib.rs" 555 17 555 18] (5 : int32))); + _46 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB25 + } + BB25 { + _48 <- Borrow.borrow_mut l2; + l2 <- ^ _48; + _47 <- ([#"../src/lib.rs" 556 4 556 19] PushBack0.push_back _48 ([#"../src/lib.rs" 556 17 556 18] (5 : int32))); + _48 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB26 + } + BB26 { + _50 <- Borrow.borrow_mut l3; + l3 <- ^ _50; + _49 <- ([#"../src/lib.rs" 557 4 557 19] PushBack0.push_back _50 ([#"../src/lib.rs" 557 17 557 18] (5 : int32))); + _50 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB27 + } + BB27 { + _52 <- Borrow.borrow_mut l4; + l4 <- ^ _52; + _51 <- ([#"../src/lib.rs" 558 4 558 19] PushBack0.push_back _52 ([#"../src/lib.rs" 558 17 558 18] (5 : int32))); + _52 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB28 + } + BB28 { + _54 <- Borrow.borrow_mut l1; + l1 <- ^ _54; + _53 <- ([#"../src/lib.rs" 560 4 560 19] PushBack0.push_back _54 ([#"../src/lib.rs" 560 17 560 18] (6 : int32))); + _54 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB29 + } + BB29 { + _56 <- Borrow.borrow_mut l2; + l2 <- ^ _56; + _55 <- ([#"../src/lib.rs" 561 4 561 19] PushBack0.push_back _56 ([#"../src/lib.rs" 561 17 561 18] (6 : int32))); + _56 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB30 + } + BB30 { + _58 <- Borrow.borrow_mut l3; + l3 <- ^ _58; + _57 <- ([#"../src/lib.rs" 562 4 562 19] PushBack0.push_back _58 ([#"../src/lib.rs" 562 17 562 18] (6 : int32))); + _58 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB31 + } + BB31 { + _60 <- Borrow.borrow_mut l4; + l4 <- ^ _60; + _59 <- ([#"../src/lib.rs" 563 4 563 19] PushBack0.push_back _60 ([#"../src/lib.rs" 563 17 563 18] (6 : int32))); + _60 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB32 + } + BB32 { + _62 <- Borrow.borrow_mut l1; + l1 <- ^ _62; + _61 <- ([#"../src/lib.rs" 565 4 565 19] PushBack0.push_back _62 ([#"../src/lib.rs" 565 17 565 18] (7 : int32))); + _62 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB33 + } + BB33 { + _64 <- Borrow.borrow_mut l2; + l2 <- ^ _64; + _63 <- ([#"../src/lib.rs" 566 4 566 19] PushBack0.push_back _64 ([#"../src/lib.rs" 566 17 566 18] (7 : int32))); + _64 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB34 + } + BB34 { + _66 <- Borrow.borrow_mut l3; + l3 <- ^ _66; + _65 <- ([#"../src/lib.rs" 567 4 567 19] PushBack0.push_back _66 ([#"../src/lib.rs" 567 17 567 18] (7 : int32))); + _66 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB35 + } + BB35 { + _68 <- Borrow.borrow_mut l4; + l4 <- ^ _68; + _67 <- ([#"../src/lib.rs" 568 4 568 19] PushBack0.push_back _68 ([#"../src/lib.rs" 568 17 568 18] (7 : int32))); + _68 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB36 + } + BB36 { + _70 <- Borrow.borrow_mut l1; + l1 <- ^ _70; + _69 <- ([#"../src/lib.rs" 570 4 570 19] PushBack0.push_back _70 ([#"../src/lib.rs" 570 17 570 18] (8 : int32))); + _70 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB37 + } + BB37 { + _72 <- Borrow.borrow_mut l2; + l2 <- ^ _72; + _71 <- ([#"../src/lib.rs" 571 4 571 19] PushBack0.push_back _72 ([#"../src/lib.rs" 571 17 571 18] (8 : int32))); + _72 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB38 + } + BB38 { + _74 <- Borrow.borrow_mut l3; + l3 <- ^ _74; + _73 <- ([#"../src/lib.rs" 572 4 572 19] PushBack0.push_back _74 ([#"../src/lib.rs" 572 17 572 18] (8 : int32))); + _74 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB39 + } + BB39 { + _76 <- Borrow.borrow_mut l4; + l4 <- ^ _76; + _75 <- ([#"../src/lib.rs" 573 4 573 19] PushBack0.push_back _76 ([#"../src/lib.rs" 573 17 573 18] (8 : int32))); + _76 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB40 + } + BB40 { + _78 <- Borrow.borrow_mut l1; + l1 <- ^ _78; + _77 <- ([#"../src/lib.rs" 575 4 575 19] PushBack0.push_back _78 ([#"../src/lib.rs" 575 17 575 18] (9 : int32))); + _78 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB41 + } + BB41 { + _80 <- Borrow.borrow_mut l2; + l2 <- ^ _80; + _79 <- ([#"../src/lib.rs" 576 4 576 19] PushBack0.push_back _80 ([#"../src/lib.rs" 576 17 576 18] (9 : int32))); + _80 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB42 + } + BB42 { + _82 <- Borrow.borrow_mut l3; + l3 <- ^ _82; + _81 <- ([#"../src/lib.rs" 577 4 577 19] PushBack0.push_back _82 ([#"../src/lib.rs" 577 17 577 18] (9 : int32))); + _82 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB43 + } + BB43 { + _84 <- Borrow.borrow_mut l4; + l4 <- ^ _84; + _83 <- ([#"../src/lib.rs" 578 4 578 19] PushBack0.push_back _84 ([#"../src/lib.rs" 578 17 578 18] (9 : int32))); + _84 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB44 + } + BB44 { + _86 <- Borrow.borrow_mut l1; + l1 <- ^ _86; + _85 <- ([#"../src/lib.rs" 580 4 580 20] PushBack0.push_back _86 ([#"../src/lib.rs" 580 17 580 19] (10 : int32))); + _86 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB45 + } + BB45 { + _88 <- Borrow.borrow_mut l2; + l2 <- ^ _88; + _87 <- ([#"../src/lib.rs" 581 4 581 20] PushBack0.push_back _88 ([#"../src/lib.rs" 581 17 581 19] (10 : int32))); + _88 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB46 + } + BB46 { + _90 <- Borrow.borrow_mut l3; + l3 <- ^ _90; + _89 <- ([#"../src/lib.rs" 582 4 582 20] PushBack0.push_back _90 ([#"../src/lib.rs" 582 17 582 19] (10 : int32))); + _90 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB47 + } + BB47 { + _92 <- Borrow.borrow_mut l4; + l4 <- ^ _92; + _91 <- ([#"../src/lib.rs" 583 4 583 20] PushBack0.push_back _92 ([#"../src/lib.rs" 583 17 583 19] (10 : int32))); + _92 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB48 + } + BB48 { + _94 <- Borrow.borrow_mut l1; + l1 <- ^ _94; + _93 <- ([#"../src/lib.rs" 585 4 585 20] PushBack0.push_back _94 ([#"../src/lib.rs" 585 17 585 19] (11 : int32))); + _94 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB49 + } + BB49 { + _96 <- Borrow.borrow_mut l2; + l2 <- ^ _96; + _95 <- ([#"../src/lib.rs" 586 4 586 20] PushBack0.push_back _96 ([#"../src/lib.rs" 586 17 586 19] (11 : int32))); + _96 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB50 + } + BB50 { + _98 <- Borrow.borrow_mut l3; + l3 <- ^ _98; + _97 <- ([#"../src/lib.rs" 587 4 587 20] PushBack0.push_back _98 ([#"../src/lib.rs" 587 17 587 19] (11 : int32))); + _98 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB51 + } + BB51 { + _100 <- Borrow.borrow_mut l4; + l4 <- ^ _100; + _99 <- ([#"../src/lib.rs" 588 4 588 20] PushBack0.push_back _100 ([#"../src/lib.rs" 588 17 588 19] (11 : int32))); + _100 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB52 + } + BB52 { + _102 <- Borrow.borrow_mut l1; + l1 <- ^ _102; + _101 <- ([#"../src/lib.rs" 590 4 590 20] PushBack0.push_back _102 ([#"../src/lib.rs" 590 17 590 19] (12 : int32))); + _102 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB53 + } + BB53 { + _104 <- Borrow.borrow_mut l2; + l2 <- ^ _104; + _103 <- ([#"../src/lib.rs" 591 4 591 20] PushBack0.push_back _104 ([#"../src/lib.rs" 591 17 591 19] (12 : int32))); + _104 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB54 + } + BB54 { + _106 <- Borrow.borrow_mut l3; + l3 <- ^ _106; + _105 <- ([#"../src/lib.rs" 592 4 592 20] PushBack0.push_back _106 ([#"../src/lib.rs" 592 17 592 19] (12 : int32))); + _106 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB55 + } + BB55 { + _108 <- Borrow.borrow_mut l4; + l4 <- ^ _108; + _107 <- ([#"../src/lib.rs" 593 4 593 20] PushBack0.push_back _108 ([#"../src/lib.rs" 593 17 593 19] (12 : int32))); + _108 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB56 + } + BB56 { + _110 <- Borrow.borrow_mut l1; + l1 <- ^ _110; + _109 <- ([#"../src/lib.rs" 595 4 595 20] PushBack0.push_back _110 ([#"../src/lib.rs" 595 17 595 19] (13 : int32))); + _110 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB57 + } + BB57 { + _112 <- Borrow.borrow_mut l2; + l2 <- ^ _112; + _111 <- ([#"../src/lib.rs" 596 4 596 20] PushBack0.push_back _112 ([#"../src/lib.rs" 596 17 596 19] (13 : int32))); + _112 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB58 + } + BB58 { + _114 <- Borrow.borrow_mut l3; + l3 <- ^ _114; + _113 <- ([#"../src/lib.rs" 597 4 597 20] PushBack0.push_back _114 ([#"../src/lib.rs" 597 17 597 19] (13 : int32))); + _114 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB59 + } + BB59 { + _116 <- Borrow.borrow_mut l4; + l4 <- ^ _116; + _115 <- ([#"../src/lib.rs" 598 4 598 20] PushBack0.push_back _116 ([#"../src/lib.rs" 598 17 598 19] (13 : int32))); + _116 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB60 + } + BB60 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-14/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-14/why3session.xml new file mode 100644 index 0000000..9a55ec6 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-14/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-14/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-14/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..1f18eb63325506813a8764ee2d540ec55b5fcf22 GIT binary patch literal 3545 zcmV;~4JPs*iwFP!00000|J_zD11L%j#4fpq>} zMutnzK*H=_ciSEpK7XsfulpY$caVz3&t+hw7I(0uZg<-gbR26?(Pp#z@$|gw`b}l( z?aOBKwAp=Gx3KHq4ln&ONM#mt;ABVROCVHt-64M4;$t*#0fPPVP*K_vzhn!np7w|S zd%fB1zP;?nGSr*(_FLa=*2mM+Y4@$)R+NAUUH?aLhCIzL{pyV3Eoc)Sdcmt8tuFq!gr`7+zl zjpLQ&v54|`B_6LDjZcnOT{&K{7~DrMvPGN0qHStQ& zMOh0Pe8A1+F2AkgDQW|E&+{0p4-Bkd7Pd=m7^XqFhjqO@{RF+RG5A?gvw&8fZ1Uvu zK3rjd^Cvv#PjJo^1+hg%fu&yHxUQ&LM14}_#TaX!sz9y&?Pb5|Nmv9&l6FW#k0_Ko zn#wN>B-;Wa=Vk@S762)C1k|EvR`iltB}z?D)j2{cQnv{KMZe*m*kXbA>G1}YJI($SQ}%{)uNr>01SUis0Y3X4`l;Z;!3hriaku&2WBUQ=p^Hr-#OI2csI1Az zJ&eGbimCZ^w@9;4^^2Gpun?3r3|v5A|4bqqnp(}1}=^eWVB*Mp`iCMqUF zx4Z%v>>83V&>l-j#n?GgF*ZdibQ?x9-ei5AqmGE_kH{SXbp)c0$f%Q?TMo{x29MT* z=bFKBZDEl^0!Io*r!)kEv3G+p^C;A)JH}bWgXG;}@NO}}Mi2F}L`N$B-(Y~Ih91Mf z4e$rAFHjpoZiau#yxaQ#!033+Bm}_lNmPoS>3&<{H%j z2K~3#XlbdHu)NSpxi)HorR0j`5aPEc@(1^>Sl%0$LbtUM0Lt!w8-6gtEhn)NdonaY zBOC#MfeMMBA6wi#249Fk`r$(fZlX@u#c7>jh>w63#|jLz5eT@Qrv{>;O=!bGW{?xo z_|yacIFIOz*?d=@0DBRpMjiDR*m@8H^JK*5`CBF}AH%;oWzDb;4dGw=>|5)b**8v| z*FQhB6sCd&PH2FBb5G(}e}MiL6b01H8>thR3e=+}DRu`u@~zm-uB?B6pLMf49CknY z?kB*QQJB+^OY=$tO(e_HjG~{sAe)kQBu<^7zsm``=&sZQEa!U3m|9Wq-gc z%MVhJc|=yfr-rpOIw`7Xhrn!v&e=*7BCG`(e<-)HTYK)`M%srH9;LD3HxwG8E1bbLE?T z-2-U|e7E-MGvr0Y+rsNj_Ifk*`fdNm$$Py)uQ!*xUdu`g57c2tnvcC+b6k2MLq)Im z*vGQh>+=-V`?R{|^-6g_{2bQ-GxnO-;zhvY7jc^h z*zbVxm-2W$P07>J zP&63l@kr!S9-kI{NVSG(9$&2V+ng>;ThX}^mDC}J+Z8SDRMZw1DMpHm6r*Ln8*WuT zS9{s6{dJv(OXzwXZN-m;u2F`K9bVor&Zpx%ji(DK)*?|S1*51BNY?R}h?_5Fq%=A= zu+r46kN@1Qx2H%2@8Wm40O7CPYKV~c{wrQ<^duxg4*s}~N$KNh6m1NgR%Kp`DKQAK z^SA^T1%q+vH5zGp%x#TXOysDHEhB7ZiTyy|z8Vek63m5t1T=Qa<*g*9%ihKNp$Ii^ zdM5}xZeU_o9|Xns(oRd?NI#4J_GgaQ#UJ$Z9!9Tc+5nQH1b} zGD@#-2O*K7p$tkfl!f9bm8h>puF@yj`BYe*OPBkXHqE)aNI0I?1nXXgektt3RWyjE0#B`SWc|?Jr)@5>T%V? z)q*4VBy)KJd;?pYT>7!1EsGb#mK4Vr>)KfeRe}c1E|-MW*zqg|-#W1I#e|>TOwt2_9&Q4rc<&=cic4=^QARJT{+&5zqtb6_ zK7EyiDbs6;xK_bti}IO5md_Nb$gaUE%L1~uQyc8vdqB~R9bqu}DoYKT>c%7;u#E*| zaF1UDSf__L>;3i-ScbFp$MuAf*1H>E;d#Gz(U!);s?sZ8B;&!PDC7E7o8Z(J>0F{R z0YmO965$mqPWA=rp=zDVFGVlK)HvQ<>^u~)hw>A%LsgSiJk~ct3#LxX80dPwDx-Xv zI~HcJjDaJeB7?VhUj>I7<3*iu&>5CAIKN20NJV`f!&ySe2`7e}@JS)pMVR??v#>!g zWL4$K_;&kpI7ITpt>o3?ThyClpAIKHy=28Qo)jBjRxphD(6f%~@G|%?;eW9bl&Vp& zXMS4DA47Q)PF{+#G8ZAmx8}L!VNI5A6haI*$tuayLzT=zOMKXn7f(w9Qy`nlbiyn~ zXCyEP!SGdU5T*^GOkA`!Aq#5|!dF0(H7q99fJ9(M1Z=-s{)#nJf?-YAXQRX4jr8(4|9s&=4Rr&*9TQ4XVXB+th57Zo+4dp6z)ar9(nf@}8zR&=YujjHH>j zhfhA`O~$;*ZQkUJH#y@?0&kyd*u+~wJW*uATbXg1ZEo^bX39JEl-YI2XcU0A$|;NT z*@>R=mSf(s_oZy9*2upp*LK2H%@691=9Vk*h_^cA};2|JVI?DSPQ zeSE}$k0=S)g37j_V4_X1mxCSOM2tc00L zGQNPp=S@k}nI!5=l8_!s9Tr4MdLt*liuqtsF2tTRqK zYDbl$(ox|kcQjCG86jF3 z*>nbuA#r=`=vY3?+0nmSFKvQ8PNwAYnVPD!VP*OKDJF)C1oRb5Rw$v{c{ zN;O&n2V+~)ncmC{cZNAbJqb8QFazSWb=qVSOsptjebe`S-6|neFNLKP%!%uo^=xLO zGvX$Rjw#k^+o;wyT6ePHU0W;bZLsM~Q_qZcM%^UQ$PU6qzcMQ+8fuAT4dpAc(wx?W zcX~z%7_oI0R%>UKv(j1NEO(Z9BeK+4;>j8yK9E(0_J(#1U%>{M?U`wK!-=7EC0aOt TAPW--jnn@F@q!;CvMvAsuwC%? literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-15.mlcfg b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-15.mlcfg new file mode 100644 index 0000000..a8e58cd --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-15.mlcfg @@ -0,0 +1,6054 @@ + +module CreusotContracts_Invariant_Inv_Stub + type t + predicate inv (_x : t) +end +module CreusotContracts_Invariant_Inv_Interface + type t + predicate inv (_x : t) + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module CreusotContracts_Invariant_Inv + type t + predicate inv (_x : t) = + [#"../../../../creusot/creusot-contracts/src/invariant.rs" 16 4 16 8] true + val inv (_x : t) : bool + ensures { result = inv _x } + +end +module TyInv_Trivial + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + axiom inv_trivial : forall self : t . Inv0.inv self = true +end +module CargoDir_Lemmas_MapSetCommute_Stub + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () +end +module CargoDir_Lemmas_MapSetCommute_Interface + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _45 : (); + var _46 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _47 : (); + var _48 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _49 : (); + var _50 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _51 : (); + var _52 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _53 : (); + var _54 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _55 : (); + var _56 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _57 : (); + var _58 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _59 : (); + var _60 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _61 : (); + var _62 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _63 : (); + var _64 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _65 : (); + var _66 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _67 : (); + var _68 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _69 : (); + var _70 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _71 : (); + var _72 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _73 : (); + var _74 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _75 : (); + var _76 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _77 : (); + var _78 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _79 : (); + var _80 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _81 : (); + var _82 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _83 : (); + var _84 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _85 : (); + var _86 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _87 : (); + var _88 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _89 : (); + var _90 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _91 : (); + var _92 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _93 : (); + var _94 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _95 : (); + var _96 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _97 : (); + var _98 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _99 : (); + var _100 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _101 : (); + var _102 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _103 : (); + var _104 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _105 : (); + var _106 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _107 : (); + var _108 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _109 : (); + var _110 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _111 : (); + var _112 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _113 : (); + var _114 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _115 : (); + var _116 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _117 : (); + var _118 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _119 : (); + var _120 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _121 : (); + var _122 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _123 : (); + var _124 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _46 <- Borrow.borrow_mut l1; + l1 <- ^ _46; + _45 <- ([#"../src/lib.rs" 555 4 555 19] PushBack0.push_back _46 ([#"../src/lib.rs" 555 17 555 18] (5 : int32))); + _46 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB25 + } + BB25 { + _48 <- Borrow.borrow_mut l2; + l2 <- ^ _48; + _47 <- ([#"../src/lib.rs" 556 4 556 19] PushBack0.push_back _48 ([#"../src/lib.rs" 556 17 556 18] (5 : int32))); + _48 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB26 + } + BB26 { + _50 <- Borrow.borrow_mut l3; + l3 <- ^ _50; + _49 <- ([#"../src/lib.rs" 557 4 557 19] PushBack0.push_back _50 ([#"../src/lib.rs" 557 17 557 18] (5 : int32))); + _50 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB27 + } + BB27 { + _52 <- Borrow.borrow_mut l4; + l4 <- ^ _52; + _51 <- ([#"../src/lib.rs" 558 4 558 19] PushBack0.push_back _52 ([#"../src/lib.rs" 558 17 558 18] (5 : int32))); + _52 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB28 + } + BB28 { + _54 <- Borrow.borrow_mut l1; + l1 <- ^ _54; + _53 <- ([#"../src/lib.rs" 560 4 560 19] PushBack0.push_back _54 ([#"../src/lib.rs" 560 17 560 18] (6 : int32))); + _54 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB29 + } + BB29 { + _56 <- Borrow.borrow_mut l2; + l2 <- ^ _56; + _55 <- ([#"../src/lib.rs" 561 4 561 19] PushBack0.push_back _56 ([#"../src/lib.rs" 561 17 561 18] (6 : int32))); + _56 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB30 + } + BB30 { + _58 <- Borrow.borrow_mut l3; + l3 <- ^ _58; + _57 <- ([#"../src/lib.rs" 562 4 562 19] PushBack0.push_back _58 ([#"../src/lib.rs" 562 17 562 18] (6 : int32))); + _58 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB31 + } + BB31 { + _60 <- Borrow.borrow_mut l4; + l4 <- ^ _60; + _59 <- ([#"../src/lib.rs" 563 4 563 19] PushBack0.push_back _60 ([#"../src/lib.rs" 563 17 563 18] (6 : int32))); + _60 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB32 + } + BB32 { + _62 <- Borrow.borrow_mut l1; + l1 <- ^ _62; + _61 <- ([#"../src/lib.rs" 565 4 565 19] PushBack0.push_back _62 ([#"../src/lib.rs" 565 17 565 18] (7 : int32))); + _62 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB33 + } + BB33 { + _64 <- Borrow.borrow_mut l2; + l2 <- ^ _64; + _63 <- ([#"../src/lib.rs" 566 4 566 19] PushBack0.push_back _64 ([#"../src/lib.rs" 566 17 566 18] (7 : int32))); + _64 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB34 + } + BB34 { + _66 <- Borrow.borrow_mut l3; + l3 <- ^ _66; + _65 <- ([#"../src/lib.rs" 567 4 567 19] PushBack0.push_back _66 ([#"../src/lib.rs" 567 17 567 18] (7 : int32))); + _66 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB35 + } + BB35 { + _68 <- Borrow.borrow_mut l4; + l4 <- ^ _68; + _67 <- ([#"../src/lib.rs" 568 4 568 19] PushBack0.push_back _68 ([#"../src/lib.rs" 568 17 568 18] (7 : int32))); + _68 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB36 + } + BB36 { + _70 <- Borrow.borrow_mut l1; + l1 <- ^ _70; + _69 <- ([#"../src/lib.rs" 570 4 570 19] PushBack0.push_back _70 ([#"../src/lib.rs" 570 17 570 18] (8 : int32))); + _70 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB37 + } + BB37 { + _72 <- Borrow.borrow_mut l2; + l2 <- ^ _72; + _71 <- ([#"../src/lib.rs" 571 4 571 19] PushBack0.push_back _72 ([#"../src/lib.rs" 571 17 571 18] (8 : int32))); + _72 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB38 + } + BB38 { + _74 <- Borrow.borrow_mut l3; + l3 <- ^ _74; + _73 <- ([#"../src/lib.rs" 572 4 572 19] PushBack0.push_back _74 ([#"../src/lib.rs" 572 17 572 18] (8 : int32))); + _74 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB39 + } + BB39 { + _76 <- Borrow.borrow_mut l4; + l4 <- ^ _76; + _75 <- ([#"../src/lib.rs" 573 4 573 19] PushBack0.push_back _76 ([#"../src/lib.rs" 573 17 573 18] (8 : int32))); + _76 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB40 + } + BB40 { + _78 <- Borrow.borrow_mut l1; + l1 <- ^ _78; + _77 <- ([#"../src/lib.rs" 575 4 575 19] PushBack0.push_back _78 ([#"../src/lib.rs" 575 17 575 18] (9 : int32))); + _78 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB41 + } + BB41 { + _80 <- Borrow.borrow_mut l2; + l2 <- ^ _80; + _79 <- ([#"../src/lib.rs" 576 4 576 19] PushBack0.push_back _80 ([#"../src/lib.rs" 576 17 576 18] (9 : int32))); + _80 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB42 + } + BB42 { + _82 <- Borrow.borrow_mut l3; + l3 <- ^ _82; + _81 <- ([#"../src/lib.rs" 577 4 577 19] PushBack0.push_back _82 ([#"../src/lib.rs" 577 17 577 18] (9 : int32))); + _82 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB43 + } + BB43 { + _84 <- Borrow.borrow_mut l4; + l4 <- ^ _84; + _83 <- ([#"../src/lib.rs" 578 4 578 19] PushBack0.push_back _84 ([#"../src/lib.rs" 578 17 578 18] (9 : int32))); + _84 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB44 + } + BB44 { + _86 <- Borrow.borrow_mut l1; + l1 <- ^ _86; + _85 <- ([#"../src/lib.rs" 580 4 580 20] PushBack0.push_back _86 ([#"../src/lib.rs" 580 17 580 19] (10 : int32))); + _86 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB45 + } + BB45 { + _88 <- Borrow.borrow_mut l2; + l2 <- ^ _88; + _87 <- ([#"../src/lib.rs" 581 4 581 20] PushBack0.push_back _88 ([#"../src/lib.rs" 581 17 581 19] (10 : int32))); + _88 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB46 + } + BB46 { + _90 <- Borrow.borrow_mut l3; + l3 <- ^ _90; + _89 <- ([#"../src/lib.rs" 582 4 582 20] PushBack0.push_back _90 ([#"../src/lib.rs" 582 17 582 19] (10 : int32))); + _90 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB47 + } + BB47 { + _92 <- Borrow.borrow_mut l4; + l4 <- ^ _92; + _91 <- ([#"../src/lib.rs" 583 4 583 20] PushBack0.push_back _92 ([#"../src/lib.rs" 583 17 583 19] (10 : int32))); + _92 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB48 + } + BB48 { + _94 <- Borrow.borrow_mut l1; + l1 <- ^ _94; + _93 <- ([#"../src/lib.rs" 585 4 585 20] PushBack0.push_back _94 ([#"../src/lib.rs" 585 17 585 19] (11 : int32))); + _94 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB49 + } + BB49 { + _96 <- Borrow.borrow_mut l2; + l2 <- ^ _96; + _95 <- ([#"../src/lib.rs" 586 4 586 20] PushBack0.push_back _96 ([#"../src/lib.rs" 586 17 586 19] (11 : int32))); + _96 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB50 + } + BB50 { + _98 <- Borrow.borrow_mut l3; + l3 <- ^ _98; + _97 <- ([#"../src/lib.rs" 587 4 587 20] PushBack0.push_back _98 ([#"../src/lib.rs" 587 17 587 19] (11 : int32))); + _98 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB51 + } + BB51 { + _100 <- Borrow.borrow_mut l4; + l4 <- ^ _100; + _99 <- ([#"../src/lib.rs" 588 4 588 20] PushBack0.push_back _100 ([#"../src/lib.rs" 588 17 588 19] (11 : int32))); + _100 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB52 + } + BB52 { + _102 <- Borrow.borrow_mut l1; + l1 <- ^ _102; + _101 <- ([#"../src/lib.rs" 590 4 590 20] PushBack0.push_back _102 ([#"../src/lib.rs" 590 17 590 19] (12 : int32))); + _102 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB53 + } + BB53 { + _104 <- Borrow.borrow_mut l2; + l2 <- ^ _104; + _103 <- ([#"../src/lib.rs" 591 4 591 20] PushBack0.push_back _104 ([#"../src/lib.rs" 591 17 591 19] (12 : int32))); + _104 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB54 + } + BB54 { + _106 <- Borrow.borrow_mut l3; + l3 <- ^ _106; + _105 <- ([#"../src/lib.rs" 592 4 592 20] PushBack0.push_back _106 ([#"../src/lib.rs" 592 17 592 19] (12 : int32))); + _106 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB55 + } + BB55 { + _108 <- Borrow.borrow_mut l4; + l4 <- ^ _108; + _107 <- ([#"../src/lib.rs" 593 4 593 20] PushBack0.push_back _108 ([#"../src/lib.rs" 593 17 593 19] (12 : int32))); + _108 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB56 + } + BB56 { + _110 <- Borrow.borrow_mut l1; + l1 <- ^ _110; + _109 <- ([#"../src/lib.rs" 595 4 595 20] PushBack0.push_back _110 ([#"../src/lib.rs" 595 17 595 19] (13 : int32))); + _110 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB57 + } + BB57 { + _112 <- Borrow.borrow_mut l2; + l2 <- ^ _112; + _111 <- ([#"../src/lib.rs" 596 4 596 20] PushBack0.push_back _112 ([#"../src/lib.rs" 596 17 596 19] (13 : int32))); + _112 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB58 + } + BB58 { + _114 <- Borrow.borrow_mut l3; + l3 <- ^ _114; + _113 <- ([#"../src/lib.rs" 597 4 597 20] PushBack0.push_back _114 ([#"../src/lib.rs" 597 17 597 19] (13 : int32))); + _114 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB59 + } + BB59 { + _116 <- Borrow.borrow_mut l4; + l4 <- ^ _116; + _115 <- ([#"../src/lib.rs" 598 4 598 20] PushBack0.push_back _116 ([#"../src/lib.rs" 598 17 598 19] (13 : int32))); + _116 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB60 + } + BB60 { + _118 <- Borrow.borrow_mut l1; + l1 <- ^ _118; + _117 <- ([#"../src/lib.rs" 600 4 600 20] PushBack0.push_back _118 ([#"../src/lib.rs" 600 17 600 19] (14 : int32))); + _118 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB61 + } + BB61 { + _120 <- Borrow.borrow_mut l2; + l2 <- ^ _120; + _119 <- ([#"../src/lib.rs" 601 4 601 20] PushBack0.push_back _120 ([#"../src/lib.rs" 601 17 601 19] (14 : int32))); + _120 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB62 + } + BB62 { + _122 <- Borrow.borrow_mut l3; + l3 <- ^ _122; + _121 <- ([#"../src/lib.rs" 602 4 602 20] PushBack0.push_back _122 ([#"../src/lib.rs" 602 17 602 19] (14 : int32))); + _122 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB63 + } + BB63 { + _124 <- Borrow.borrow_mut l4; + l4 <- ^ _124; + _123 <- ([#"../src/lib.rs" 603 4 603 20] PushBack0.push_back _124 ([#"../src/lib.rs" 603 17 603 19] (14 : int32))); + _124 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB64 + } + BB64 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-15/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-15/why3session.xml new file mode 100644 index 0000000..52ad94e --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-15/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-15/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-15/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..83592a7732990983dcd83961ff202858a15b8862 GIT binary patch literal 3542 zcmV;{4Jq;;iwFP!00000|J_zD11L%j#4fpq>} zMutnzK*H=_ciSEpK7XsfulpY$caVz3&t+hw7I(0uZg<-gbR26?(Pp#z@$|gw`b}l( z?aOBKwAp=Gx3KHq4ln&ONM#mt;ABVROCVHt-64M4;$t*#0fPPVP*K_vzhn!np7w|S zd%fB1zP;?nGSr*(_FLa=*2mM+Y4@$)R+NAUUH?aLhCIzL{pyV3Eoc)Sdcmt8tuFq!gr`7+zl zjpLQ&v54|`B_6LDjZcnOT{&K{7~DrMvPGN0qHStQ& zMOh0Pe8A1+F2AkgDQW|E&+{0p4-Bkd7Pd=m7^XqFhjqO@{RF+RG5A?gvw&8fZ1Uvu zK3rjd^Cvv#PjJo^1+hg%fu&yHxUQ&LM14}_#TaX!sz9y&?Pb5|Nmv9&l6FW#k0_Ko zn#wN>B-;Wa=Vk@S762)C1k|EvR`iltB}z?D)j2{cQnv{KMZe*m*kXbA>G1}YJI($SQ}%{)uNr>01SUis0Y3X4`l;Z;!3hriaku&2WBUQ=p^Hr-#OI2csI1Az zJ&eGbimCZ^w@9;4^^2Gpun?3r3|v5A|4bqqnp(}1}=^eWVB*Mp`iCMqUF zx4Z%v>>83V&>l-j#n?GgF*ZdibQ?x9-ei5AqmGE_kH{SXbp)c0$f%Q?TMo{x29MT* z=bFKBZDEl^0!Io*r!)kEv3G+p^C;A)JH}bWgXG;}@NO}}Mi2F}L`N$B-(Y~Ih91Mf z4e$rAFHjpoZiau#yxaQ#!033+Bm}_lNmPoS>3&<{H%j z2K~3#XlbdHu)NSpxi)HorR0j`5aPEc@(1^>Sl%0$LbtUM0Lt!w8-6gtEhn)NdonaY zBOC#MfeMMBA6wi#249Fk`r$(fZlX@u#c7>jh>w63#|jLz5eT@Qrv{>;O=!bGW{?xo z_|yacIFIOz*?d=@0DBRpMjiDR*m@8H^JK*5`CBF}AH%;oWzDb;4dGw=>|5)b**8v| z*FQhB6sCd&PH2FBb5G(}e}MiL6b01H8>thR3e=+}DRu`u@~zm-uB?B6pLMf49CknY z?kB*QQJB+^OY=$tO(e_HjG~{sAe)kQBu<^7zsm``=&sZQEa!U3m|9Wq-gc z%MVhJc|=yfr-rpOIw`7Xhrn!v&e=*7BCG`(e<-)HTYK)`M%srH9;LD3HxwG8E1bbLE?T z-2-U|e7E-MGvr0Y+rsNj_Ifk*`fdNm$$Py)uQ!*xUdu`g57c2tnvcC+b6k2MLq)Im z*vGQh>+=-V`?R{|^-6g_{2bQ-GxnO-;zhvY7jc^h z*zbVxm-2W$P07>J zP&63l@kr!S9-kI{NVSG(9$&2V+ng>;ThX}^mDC}J+Z8SDRMZw1DMpHm6r*Ln8*WuT zS9{s6{dJv(OXzwXZN-m;u2F`K9bVor&Zpx%ji(DK)*?|S1*51BNY?R}h?_5Fq%=A= zu+r46kN@1Qx2H%2@8Wm40O7CPYKV~c{wrQ<^duxg4*s}~N$KNh6m1NgR%Kp`DKQAK z^SA^T1%q+vH5zGp%x#TXOysDHEhB7ZiTyy|z8Vek63m5t1T=Qa<*g*9%ihKNp$Ii^ zdM5}xZeU_o9|Xns(oRd?NI#4J_GgaQ#UJ$Z9!9Tc+5nQH1b} zGD@#-2O*K7p$tkfl!f9bm8h>puF@yj`BYe*OPBkXHqE)aNI0I?1nXXgektt3RWyjE0#B`SWc|?Jr)@5>T%V? z)q*4VBy)KJd;?pYT>7!1EsGb#mK4Vr>)KfeRe}c1E|-MW*zqg|-#W1I#e|>TOwt2_9&Q4rc<&=cic4=^QARJT{+&5zqtb6_ zK7EyiDbs6;xK_bti}IO5md_Nb$gaUE%L1~uQyc8vdqB~R9bqu}DoYKT>c%7;u#E*| zaF1UDSf__L>;3i-ScbFp$MuAf*1H>E;d#Gz(U!);s?sZ8B;&!PDC7E7o8Z(J>0F{R z0YmO965$mqPWA=rp=zDVFGVlK)HvQ<>^u~)hw>A%LsgSiJk~ct3#LxX80dPwDx-Xv zI~HcJjDaJeB7?VhUj>I7<3*iu&>5CAIKN20NJV`f!&ySe2`7e}@JS)pMVR??v#>!g zWL4$K_;&kpI7ITpt>o3?ThyClpAIKHy=28Qo)jBjRxphD(6f%~@G|%?;eW9bl&Vp& zXMS4DA47Q)PF{+#G8ZAmx8}L!VNI5A6haI*$tuayLzT=zOMKXn7f(w9Qy`nlbiyn~ zXCyEP!SGdU5T*^GOkA`!Aq#5|!dF0(H7q99fJ9(M1Z=-s{)#nJf?-YAXQRX4jre=adKv$hFXf-mV7wKhbkh{?`|WuuYeG-STb%I@vB^MiGCcG4 z1r9mo&BnahZQksR_cXnNp1>Ob*U-!xrfN3jO~$;*ZQkUJH#y@?0&j>K+UAr6VwtiN z-g=Z@`p<&*S?;QJpg#}R(Kb2%jd`?Oxk|;C2fSH?; zC^MBL_LTRokn3WV89rhH3qfAx)K>W{R!=37V@Zn4cKGwu_4e+r?Hj^6tDDw9^lF6S zZC&eLuX-zZE8CfH+%ZQTxmy`)yQZg2-$Jep=OA_4HH}g=ZDp;R8KsUAXPt4{DJSDH zYC78(OU+6UDpzdPb#>b|R0_ilqhiLGW7IL?sCCphsvT91N=JpG+|fX#WrS#DWZSh0 zayVWqB3fyb>Dpd1sb+#WZXGv{YsZ!2(s2--JI)-ZjuXeMW5zMBz2NFVVy8eXeX2t(h1=N zcY--Vvkr_jM6rgOo=C1&dL=rlIwq;4+%jrsiaAC9M<%o}rfFBC@5!p;jI~`2k%zXh zw?>(MHPhN@<+OBKIL)1APE)6eQ`RZtl=iw($|>oT@LE#5I7S7^u&S#`CmATIU#Uh* z;9zWPI@6n(;m$B;s3!r(2xdT>woaQ&f{7I+tZ(|huUjRA>ZP!hf;n+rv!2b2bVl4H z(J{qZZ5!3vM(a*CylZP^y$v>Z)=<78E6r(5c&BHS zfDv0~VYPNvIV+tN&T?m&HzG@&C7!GS;saT&v{9fF(i77(E7tUl?E7xjX~=h^ k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute + type k + type v + use map.Map + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Map.map k v + function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () = + [#"../src/lib.rs" 11 4 11 10] () + val map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + ensures { result = map_set_commute x k1 k2 v1 v2 } + + axiom map_set_commute_spec : forall x : Map.map k v, k1 : k, k2 : k, v1 : v, v2 : v . ([#"../src/lib.rs" 13 15 13 23] k1 <> k2) -> ([#"../src/lib.rs" 15 33 15 34] Inv0.inv x) -> ([#"../src/lib.rs" 15 51 15 53] Inv1.inv k1) -> ([#"../src/lib.rs" 15 58 15 60] Inv1.inv k2) -> ([#"../src/lib.rs" 15 65 15 67] Inv2.inv v1) -> ([#"../src/lib.rs" 15 72 15 74] Inv2.inv v2) -> ([#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1) +end +module CargoDir_Lemmas_MapSetCommute_Impl + type k + type v + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = v + clone TyInv_Trivial as TyInv_Trivial2 with + type t = v, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = k + clone TyInv_Trivial as TyInv_Trivial1 with + type t = k, + predicate Inv0.inv = Inv1.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Map.map k v + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Map.map k v, + predicate Inv0.inv = Inv0.inv, + axiom . + let rec ghost function map_set_commute [#"../src/lib.rs" 15 4 15 78] (x : Map.map k v) (k1 : k) (k2 : k) (v1 : v) (v2 : v) : () + requires {[#"../src/lib.rs" 13 15 13 23] k1 <> k2} + requires {[#"../src/lib.rs" 15 33 15 34] Inv0.inv x} + requires {[#"../src/lib.rs" 15 51 15 53] Inv1.inv k1} + requires {[#"../src/lib.rs" 15 58 15 60] Inv1.inv k2} + requires {[#"../src/lib.rs" 15 65 15 67] Inv2.inv v1} + requires {[#"../src/lib.rs" 15 72 15 74] Inv2.inv v2} + ensures { [#"../src/lib.rs" 14 14 14 68] Map.set (Map.set x k1 v1) k2 v2 = Map.set (Map.set x k2 v2) k1 v1 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 11 4 11 10] () +end +module CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_ghostptrtoken 't +end +module CargoDir_LinkedList_Node_Type + use prelude.Opaque + type t_node 't = + | C_Node 't opaque_ptr opaque_ptr + + let function node_prev (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ _ a -> a + end + let function node_next (self : t_node 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node _ a _ -> a + end + let function node_data (self : t_node 't) : 't = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Node a _ _ -> a + end +end +module CargoDir_LinkedList_LinkedList_Type + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + type t_linkedlist 't = + | C_LinkedList opaque_ptr opaque_ptr (Ghost.ghost_ty (Seq.seq opaque_ptr)) (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't)) + + let function linkedlist_ptrs (self : t_linkedlist 't) : Ghost.ghost_ty (Seq.seq opaque_ptr) + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ a _ -> a + end + let function linkedlist_token (self : t_linkedlist 't) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node 't) + + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ _ _ a -> a + end + let function linkedlist_head (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList a _ _ _ -> a + end + let function linkedlist_tail (self : t_linkedlist 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_LinkedList _ a _ _ -> a + end +end +module CreusotContracts_Logic_Fmap_FMap_Type + type t_fmap 'k 'v +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl0_ShallowModel + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + function shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + + val shallow_model (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + ensures { result = shallow_model self } + +end +module Core_Option_Option_Type + type t_option 't = + | C_None + | C_Some 't + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Stub + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Mk_Interface + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_Mk + type k + type v + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use Core_Option_Option_Type as Core_Option_Option_Type + function mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val mk (_m : Map.map k (Core_Option_Option_Type.t_option v)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { result = mk _m } + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Stub + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + +end +module CreusotContracts_Logic_Fmap_Impl0_View_Interface + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_View + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + + val view (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : Map.map k (Core_Option_Option_Type.t_option v) + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv result } + ensures { result = view self } + + axiom view_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 16 28 20] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 28 4 28 35] Inv1.inv (view self)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 27 14 27 38] Mk0.mk (view self) = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Stub + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + +end +module CreusotContracts_Logic_Fmap_Impl0_Get_Interface + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Get + type k + type v + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + function get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (View0.view self) k + val get [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : Core_Option_Option_Type.t_option v + ensures { result = get self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool +end +module CreusotContracts_Logic_Fmap_Impl0_Contains_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Contains + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 77 8 77 27] Get0.get self k <> Core_Option_Option_Type.C_None + val contains (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : bool + ensures { result = contains self k } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_AddrLogic + type t + use prelude.Opaque + use prelude.Int + function addr_logic (self : opaque_ptr) : int + val addr_logic (self : opaque_ptr) : int + ensures { result = addr_logic self } + +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Stub + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr +end +module CreusotContracts_GhostPtr_Impl2_NullLogic_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_GhostPtr_Impl2_NullLogic + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + function null_logic (_1 : ()) : opaque_ptr + val null_logic (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic result -> ptr = result } + ensures { result = null_logic _1 } + + axiom null_logic_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 130 4 130 98] forall ptr : opaque_ptr . AddrLogic0.addr_logic ptr = AddrLogic0.addr_logic (null_logic _1) -> ptr = null_logic _1) && ([#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 128 4 128 64] forall t : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t . Inv0.inv t -> not Contains0.contains (ShallowModel0.shallow_model t) (null_logic _1)) +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Logic_Ops_Impl6_IndexLogic + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + function index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot/creusot-contracts/src/logic/ops.rs" 85 8 85 33] Seq.get (Ghost.inner self) ix + val index_logic [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_PrevOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 223 8 223 16] if i = 0 then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + + val prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + ensures { result = prev_of self i } + +end +module CargoDir_LinkedList_Impl0_PrevOf_Impl + type t + use prelude.Int + use prelude.Opaque + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function prev_of [#"../src/lib.rs" 226 8 226 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 225 19 225 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 223 8 223 16] if pure {i = 0} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i - 1) + +end +module CargoDir_LinkedList_Impl0_NextOf_Stub + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + +end +module CargoDir_LinkedList_Impl0_NextOf_Interface + type t + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + + = + [#"../src/lib.rs" 234 8 234 16] if i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + + val next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + ensures { result = next_of self i } + +end +module CargoDir_LinkedList_Impl0_NextOf_Impl + type t + use prelude.Int + use prelude.Opaque + use prelude.Ghost + use seq.Seq + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + let rec ghost function next_of [#"../src/lib.rs" 237 8 237 50] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : opaque_ptr + requires {[#"../src/lib.rs" 236 19 236 25] i >= 0} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 234 8 234 16] if pure {i + 1 = Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} then + NullLogic0.null_logic () + else + IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (i + 1) + +end +module CreusotContracts_Util_Unreachable_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t +end +module CreusotContracts_Util_Unreachable_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unreachable + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function unreachable (_1 : ()) : t + val unreachable (_1 : ()) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv result } + ensures { result = unreachable _1 } + + axiom def : forall _1 : () . unreachable _1 = ([#"../../../../creusot/creusot-contracts/src/util.rs" 28 4 28 17] unreachable ()) + axiom unreachable_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 27 0 27 28] Inv0.inv (unreachable _1)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 25 10 25 15] false) +end +module CreusotContracts_Util_Unwrap_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t +end +module CreusotContracts_Util_Unwrap_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Util_Unwrap + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Util_Unreachable_Stub as Unreachable0 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option t + function unwrap (op : Core_Option_Option_Type.t_option t) : t = + [#"../../../../creusot/creusot-contracts/src/util.rs" 36 4 39 5] match (op) with + | Core_Option_Option_Type.C_Some t -> t + | Core_Option_Option_Type.C_None -> Unreachable0.unreachable () + end + val unwrap (op : Core_Option_Option_Type.t_option t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some result = op } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv result } + ensures { result = unwrap op } + + axiom unwrap_spec : forall op : Core_Option_Option_Type.t_option t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 17 35 19] Inv0.inv op) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 35 0 35 36] Inv1.inv (unwrap op)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap op) = op) +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_LookupUnsized + type k + type v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = Core_Option_Option_Type.t_option v + clone CreusotContracts_Util_Unwrap_Stub as Unwrap0 with + type t = v, + predicate Inv0.inv = Inv0.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + function lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 61 8 61 27] Unwrap0.unwrap (Get0.get self k) + val lookup_unsized (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup_unsized self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module CreusotContracts_Logic_Fmap_Impl0_Lookup + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = k, + type v = v + function lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 71 9 71 31] LookupUnsized0.lookup_unsized self k + val lookup [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : v + ensures { result = lookup self k } + +end +module Core_Ptr_NonNull_NonNull_Type + use prelude.Opaque + type t_nonnull 't = + | C_NonNull opaque_ptr + +end +module Core_Marker_PhantomData_Type + type t_phantomdata 't = + | C_PhantomData + +end +module Core_Ptr_Unique_Unique_Type + use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type + use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type + type t_unique 't = + | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) + +end +module Alloc_Boxed_Box_Type + use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type + type t_box 't 'a = + | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a + +end +module Alloc_Alloc_Global_Type + type t_global = + | C_Global + +end +module CargoDir_LinkedList_Impl0_WfToken_Stub + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + +end +module CargoDir_LinkedList_Impl0_WfToken_Interface + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf_Stub as NextOf0 with + type t = t, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf_Stub as PrevOf0 with + type t = t, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + + = + [#"../src/lib.rs" 245 8 245 20] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i) /\ CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = PrevOf0.prev_of self i /\ CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)) = NextOf0.next_of self i + val wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) : bool + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + ensures { result = wf_token self i } + +end +module CargoDir_LinkedList_Impl0_WfToken_Impl + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv2.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + let rec ghost predicate wf_token [#"../src/lib.rs" 248 8 248 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) (i : int) + requires {[#"../src/lib.rs" 247 19 247 48] i >= 0 /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))} + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../src/lib.rs" 245 8 245 20] (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Contains0.contains a' b') && (let b = PrevOf0.prev_of self i in let a = CargoDir_LinkedList_Node_Type.node_prev (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) && (let b = NextOf0.next_of self i in let a = CargoDir_LinkedList_Node_Type.node_next (let a' = ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self) in let b' = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i in Lookup0.lookup a' b') in pure {a = b}) +end +module CargoDir_LinkedList_Impl0_Invariant_Stub + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) +end +module CargoDir_LinkedList_Impl0_Invariant_Interface + type t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Invariant + type t + use prelude.Int + use prelude.Ghost + use seq.Seq + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_WfToken_Stub as WfToken0 with + type t = t, + axiom . + predicate invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = + [#"../src/lib.rs" 257 12 266 13] (forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) -> WfToken0.wf_token self i) /\ (if Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) = 0 then + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = NullLogic0.null_logic () /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = NullLogic0.null_logic () + else + CargoDir_LinkedList_LinkedList_Type.linkedlist_head self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) 0 /\ CargoDir_LinkedList_LinkedList_Type.linkedlist_tail self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) - 1) + ) + val invariant' [#"../src/lib.rs" 256 8 256 38] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Model_Stub + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t +end +module CargoDir_LinkedList_Impl0_Model_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module CargoDir_LinkedList_Impl0_Model + type t + use seq.Seq + use prelude.Ghost + use prelude.Int + use prelude.Mapping + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Lookup_Stub as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + function model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + = + [#"../src/lib.rs" 273 16 274 77] Seq.create (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self))) (Mapping.from_fn (fun (i : int) -> CargoDir_LinkedList_Node_Type.node_data (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token self)) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self) i)))) + val model [#"../src/lib.rs" 271 8 271 36] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : Seq.seq t + ensures { result = model self } + +end +module Core_Ptr_Null_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val null (_1 : ()) : opaque_ptr + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 168 22 168 59] result = NullLogic0.null_logic () } + +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int +end +module CreusotContracts_Logic_Fmap_Impl0_Len_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Len + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + function len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + val len (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : int + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] result >= 0 } + ensures { result = len self } + + axiom len_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 13 15 13 19] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len self >= 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Stub + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v +end +module CreusotContracts_Logic_Fmap_Impl0_Empty_Interface + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_Logic_Fmap_Impl0_Empty + type k + type v + use map.Const + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + function empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + val empty (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len result = 0 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view result = Const.const (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv result } + ensures { result = empty _1 } + + axiom empty_spec : forall _1 : () . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 85 4 85 26] Inv0.inv (empty _1)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 84 14 84 49] View0.view (empty _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 83 14 83 31] Len0.len (empty _1) = 0) +end +module CreusotContracts_GhostPtr_Impl1_New_Interface + type t + use map.Map + use prelude.Opaque + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Stub as Empty0 with + type k = opaque_ptr, + type v = t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv1.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val new (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 27 14 27 38] ShallowModel0.shallow_model result = Empty0.empty () } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 28 4 28 24] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val new [#"../src/lib.rs" 292 8 292 28] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + +end +module CargoDir_LinkedList_Impl0_New + type t + use seq.Seq + use prelude.Ghost + use prelude.Opaque + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv3.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv1.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv3.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + let rec cfg new [#"../src/lib.rs" 292 8 292 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + ensures { [#"../src/lib.rs" 290 18 290 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 291 18 291 46] Model0.model result = Seq.empty } + ensures { [#"../src/lib.rs" 292 24 292 28] Inv0.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _4 : opaque_ptr; + var _5 : opaque_ptr; + var _6 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var _8 : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + { + goto BB0 + } + BB0 { + _4 <- ([#"../src/lib.rs" 294 22 294 33] Null0.null ()); + goto BB1 + } + BB1 { + _5 <- ([#"../src/lib.rs" 295 22 295 33] Null0.null ()); + goto BB2 + } + BB2 { + _6 <- ([#"../src/lib.rs" 296 22 296 37] Ghost.new (Seq.empty )); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 297 23 297 43] New0.new ()); + goto BB4 + } + BB4 { + this <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList _4 _5 _6 _8; + _4 <- any opaque_ptr; + _5 <- any opaque_ptr; + _6 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + _8 <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + assert { [@expl:assertion] [#"../src/lib.rs" 299 26 299 57] Seq.(==) (Model0.model this) (Seq.empty ) }; + _0 <- this; + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + return _0 + } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Util_Impl0_MakeSized_Stub + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t +end +module CreusotContracts_Util_Impl0_MakeSized_Interface + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Util_Impl0_MakeSized + type t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + function make_sized (self : t) : t + val make_sized (self : t) : t + requires {[#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] result = self } + ensures { [#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv result } + ensures { result = make_sized self } + + axiom make_sized_spec : forall self : t . ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 18 16 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/util.rs" 16 4 16 39] Inv1.inv (make_sized self)) && ([#"../../../../creusot/creusot-contracts/src/util.rs" 15 14 15 29] make_sized self = self) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Stub + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Insert_Interface + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_Logic_Fmap_Impl0_Insert + type k + type v + use map.Map + use prelude.Int + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = v + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = v + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = v, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val insert (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) (v : v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v)) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len result = Len0.len self } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len result = Len0.len self + 1 } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv result } + ensures { result = insert self k v } + + axiom insert_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k, v : v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 18 38 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 24 38 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 30 38 31] Inv2.inv v) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 38 4 38 43] Inv0.inv (insert self k v)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self + 1) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 36 4 36 63] Contains0.contains self k -> Len0.len (insert self k v) = Len0.len self) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 35 14 35 71] View0.view (insert self k v) = Map.set (View0.view self) k (Core_Option_Option_Type.C_Some (MakeSized0.make_sized v))) +end +module CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv1.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv1.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val ptr_from_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (val' : t) : opaque_ptr + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 29 57 33] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 57 35 57 38] Inv1.inv val'} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 53 4 53 42] not Contains0.contains (ShallowModel0.shallow_model ( * self)) result } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 56 14 56 55] ShallowModel0.shallow_model ( ^ self) = Insert0.insert (ShallowModel0.shallow_model ( * self)) result val' } + +end +module CargoDir_LinkedList_Impl0_Singleton_Interface + type t + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = t + val singleton [#"../src/lib.rs" 305 8 305 38] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv0.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Singleton + type t + use prelude.Opaque + use prelude.Borrow + use seq.Seq + use prelude.Ghost + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv6.inv + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv4.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Empty_Interface as Empty0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv0.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrFromBox_Interface as PtrFromBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv5.inv, + predicate Inv1.inv = Inv6.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function Insert0.insert = Insert0.insert, + predicate Inv2.inv = Inv3.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv8.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv4.inv + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_New_Interface as New0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Empty0.empty = Empty0.empty, + predicate Inv0.inv = Inv0.inv, + function Len0.len = Len0.len, + function View0.view = View0.view, + predicate Inv1.inv = Inv3.inv, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv + let rec cfg singleton [#"../src/lib.rs" 305 8 305 38] [@cfg:stackify] [@cfg:subregion_analysis] (v : t) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + requires {[#"../src/lib.rs" 305 25 305 26] Inv1.inv v} + ensures { [#"../src/lib.rs" 303 18 303 36] Invariant0.invariant' result } + ensures { [#"../src/lib.rs" 304 18 304 58] Seq.(==) (Model0.model result) (Seq.singleton v) } + ensures { [#"../src/lib.rs" 305 34 305 38] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var v : t = v; + var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _7 : opaque_ptr; + var _8 : opaque_ptr; + var ptr : opaque_ptr; + var _10 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _15 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + token <- ([#"../src/lib.rs" 307 28 307 48] New0.new ()); + goto BB2 + } + BB2 { + _7 <- ([#"../src/lib.rs" 310 22 310 33] Null0.null ()); + goto BB3 + } + BB3 { + _8 <- ([#"../src/lib.rs" 311 22 311 33] Null0.null ()); + goto BB4 + } + BB4 { + node <- CargoDir_LinkedList_Node_Type.C_Node v _7 _8; + v <- any t; + _7 <- any opaque_ptr; + _8 <- any opaque_ptr; + goto BB5 + } + BB5 { + _10 <- Borrow.borrow_mut token; + token <- ^ _10; + assume { Inv0.inv ( ^ _10) }; + goto BB6 + } + BB6 { + ptr <- ([#"../src/lib.rs" 313 22 313 56] PtrFromBox0.ptr_from_box _10 node); + _10 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + node <- any CargoDir_LinkedList_Node_Type.t_node t; + goto BB7 + } + BB7 { + assume { Resolve0.resolve ptr }; + _15 <- ([#"../src/lib.rs" 317 22 317 46] Ghost.new (Seq.singleton ptr)); + goto BB8 + } + BB8 { + _0 <- CargoDir_LinkedList_LinkedList_Type.C_LinkedList ptr ptr _15 token; + _15 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + token <- any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t); + goto BB9 + } + BB9 { + goto BB10 + } + BB10 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Subset + type k + type v + use Core_Option_Option_Type as Core_Option_Option_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 104 8 104 81] forall k : k . Inv0.inv k -> Contains0.contains self k -> Get0.get other k = Get0.get self k + val subset (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = subset self other } + +end +module CreusotContracts_Resolve_Impl1_Resolve_Stub + type t + use prelude.Borrow + predicate resolve (self : borrowed t) +end +module CreusotContracts_Resolve_Impl1_Resolve_Interface + type t + use prelude.Borrow + predicate resolve (self : borrowed t) + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Resolve_Impl1_Resolve + type t + use prelude.Borrow + predicate resolve (self : borrowed t) = + [#"../../../../creusot/creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self + val resolve (self : borrowed t) : bool + ensures { result = resolve self } + +end +module Core_Ptr_ConstPtr_Impl0_IsNull_Interface + type t + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + val is_null (self : opaque_ptr) : bool + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 159 18 159 65] result = (self = NullLogic0.null_logic ()) } + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Stub + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Remove_Interface + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_Logic_Fmap_Impl0_Remove + type k + type v + use map.Map + use prelude.Int + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = Map.map k (Core_Option_Option_Type.t_option v) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + function remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val remove (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (k : k) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view result = Map.set (View0.view self) k (Core_Option_Option_Type.C_None) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len result = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv result } + ensures { result = remove self k } + + axiom remove_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, k : k . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 18 47 22] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 24 47 25] Inv1.inv k) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 47 4 47 37] Inv0.inv (remove self k)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 46 14 46 84] Len0.len (remove self k) = (if Contains0.contains self k then + Len0.len self - 1 + else + Len0.len self + )) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 45 14 45 55] View0.view (remove self k) = Map.set (View0.view self) k (Core_Option_Option_Type.C_None)) +end +module CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Stub as Remove0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + val ptr_to_box (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 105 4 105 39] Contains0.contains (ShallowModel0.shallow_model ( * self)) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 27 108 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 106 14 106 54] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 107 14 107 46] ShallowModel0.shallow_model ( ^ self) = Remove0.remove (ShallowModel0.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 108 4 108 57] Inv1.inv result } + +end +module CreusotContracts_Model_ShallowModel_ShallowModelTy_Type + type self + type shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Stub + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_ShallowModel_ShallowModel_Interface + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_ShallowModel_ShallowModel + type self + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = self + function shallow_model (self : self) : ShallowModelTy0.shallowModelTy + val shallow_model (self : self) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl7_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl7_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 101 8 101 31] ShallowModel0.shallow_model ( * self) + val shallow_model (self : borrowed t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface + type t + use prelude.Borrow + use prelude.Opaque + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv6 with + type t = t + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Stub as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option t) + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Stub as Mk0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv4 with + type t = t + clone CreusotContracts_Util_Impl0_MakeSized_Stub as MakeSized0 with + type t = t, + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Stub as View0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = borrowed t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Stub as Insert0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + predicate Inv2.inv = Inv4.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv5.inv, + predicate Inv4.inv = Inv6.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + clone CreusotContracts_Model_Impl7_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_mut (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (ptr : opaque_ptr) : borrowed t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 94 4 94 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 27 97 31] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 95 14 95 54] * result = LookupUnsized0.lookup_unsized (ShallowModel1.shallow_model ( * self)) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 96 14 96 55] ShallowModel1.shallow_model ( ^ self) = Insert0.insert (ShallowModel1.shallow_model ( * self)) ptr ( ^ result) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 97 4 97 57] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_front [#"../src/lib.rs" 327 8 327 40] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv0.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopFront + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_front [#"../src/lib.rs" 327 8 327 40] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 323 19 323 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 324 19 324 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 327 30 327 34] Inv3.inv self} + ensures { [#"../src/lib.rs" 325 18 325 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 326 18 326 88] Seq.(==) (Seq.(++) (Seq.singleton result) (Model0.model ( ^ self))) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 327 39 327 40] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _20 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _27 : (); + var _28 : bool; + var _30 : opaque_ptr; + var _31 : Ghost.ghost_ty (Seq.seq opaque_ptr); + var new_head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _44 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _46 : opaque_ptr; + var _47 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 328 33 328 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 329 12 329 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 330 15 330 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + assert { [@expl:assertion] [#"../src/lib.rs" 333 30 333 55] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 334 30 334 49] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 0 }; + assert { [@expl:assertion] [#"../src/lib.rs" 335 16 335 80] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0) }; + _20 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _20)) }; + assume { Inv1.inv ( ^ _20) }; + node <- ([#"../src/lib.rs" 336 27 336 59] PtrToBox0.ptr_to_box _20 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _20 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 337 16 337 158] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 0 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 338 16 338 131] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList (CargoDir_LinkedList_Node_Type.node_next node) b c d) }; + _28 <- ([#"../src/lib.rs" 340 19 340 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB6 + } + BB6 { + switch (_28) + | False -> goto BB10 + | True -> goto BB7 + end + } + BB7 { + _30 <- ([#"../src/lib.rs" 341 32 341 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a _30 c d) }; + _30 <- any opaque_ptr; + _31 <- ([#"../src/lib.rs" 342 32 342 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB9 + } + BB9 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _31 d) }; + _31 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + _27 <- (); + goto BB14 + } + BB10 { + assert { [@expl:assertion] [#"../src/lib.rs" 344 34 344 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 345 20 345 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 346 34 346 50] WfToken0.wf_token ( * self) 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 347 20 347 84] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 348 34 348 59] CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) 1 }; + _44 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _44)) }; + assume { Inv1.inv ( ^ _44) }; + new_head <- ([#"../src/lib.rs" 349 35 349 67] PtrAsMut0.ptr_as_mut _44 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + _44 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB11 + } + BB11 { + _46 <- ([#"../src/lib.rs" 350 36 350 47] Null0.null ()); + goto BB12 + } + BB12 { + new_head <- { new_head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_head in CargoDir_LinkedList_Node_Type.C_Node a b _46) }; + _46 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * new_head)) }; + assert { [@expl:type invariant] Inv2.inv new_head }; + assume { Resolve3.resolve new_head }; + _47 <- ([#"../src/lib.rs" 351 32 351 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 1 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)))))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _47 d) }; + _47 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 352 20 352 136] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) /\ WfToken0.wf_token (Ghost.inner self_ghost_old) (i + 1) -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 353 20 353 102] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token ( * self) i }; + _27 <- (); + goto BB14 + } + BB14 { + assert { [@expl:assertion] [#"../src/lib.rs" 356 30 356 68] CargoDir_LinkedList_Node_Type.node_data node = Seq.get (Model0.model (Ghost.inner self_ghost_old)) 0 }; + goto BB15 + } + BB15 { + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB16 + } + BB16 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PopBack_Interface + type t + use prelude.Borrow + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val pop_back [#"../src/lib.rs" 365 8 365 39] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv0.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_PopBack + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Opaque + use seq.Seq + use prelude.Int + use seq_ext.SeqExt + use map.Map + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial13 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv13.inv, + axiom . + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial12 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv11.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial7 with + type t = opaque_ptr, + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = t + clone TyInv_Trivial as TyInv_Trivial5 with + type t = t, + predicate Inv0.inv = Inv5.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial2 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv4.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv10.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv11.inv, + predicate Inv4.inv = Inv4.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv13.inv, + predicate Inv1.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Logic_Fmap_Impl0_Remove_Interface as Remove0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + predicate Inv1.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Contains0.contains = Contains0.contains, + function Mk0.mk = Mk0.mk, + predicate Inv2.inv = Inv11.inv, + axiom . + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = opaque_ptr + clone Core_Ptr_Null_Interface as Null0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv2.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + predicate Inv4.inv = Inv12.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv11.inv, + predicate Inv6.inv = Inv4.inv + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl1_PtrToBox_Interface as PtrToBox0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv9.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Remove0.remove = Remove0.remove, + predicate Inv1.inv = Inv4.inv, + predicate Inv2.inv = Inv10.inv, + predicate Inv3.inv = Inv7.inv, + function View0.view = View0.view, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv4.inv = Inv11.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv1.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + predicate Inv2.inv = Inv8.inv, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + let rec cfg pop_back [#"../src/lib.rs" 365 8 365 39] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) : t + requires {[#"../src/lib.rs" 361 19 361 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 362 19 362 44] Seq.length (Model0.model ( * self)) > 0} + requires {[#"../src/lib.rs" 365 29 365 33] Inv3.inv self} + ensures { [#"../src/lib.rs" 363 18 363 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 364 18 364 88] Seq.(==) (Seq.(++) (Model0.model ( ^ self)) (Seq.singleton result)) (Model0.model ( * self)) } + ensures { [#"../src/lib.rs" 365 38 365 39] Inv5.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : t; + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var self_ghost_old : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _8 : (); + var _9 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _21 : (); + var _22 : bool; + var _24 : opaque_ptr; + var new_tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _36 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _38 : opaque_ptr; + var _39 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + self_ghost_old <- ([#"../src/lib.rs" 366 33 366 43] Ghost.new ( * self)); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv self_ghost_old }; + assume { Resolve0.resolve self_ghost_old }; + _8 <- ([#"../src/lib.rs" 367 12 367 62] ()); + assume { Resolve1.resolve _8 }; + _9 <- ([#"../src/lib.rs" 368 15 368 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB2 + } + BB2 { + switch (_9) + | False -> goto BB4 + | True -> goto BB3 + end + } + BB3 { + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + absurd + } + BB4 { + _14 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _14)) }; + assume { Inv1.inv ( ^ _14) }; + node <- ([#"../src/lib.rs" 371 27 371 59] PtrToBox0.ptr_to_box _14 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB5 + } + BB5 { + assert { [@expl:assertion] [#"../src/lib.rs" 372 16 372 176] forall i : opaque_ptr . Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) i /\ i <> IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1) -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 373 16 373 135] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1 -> Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) i) }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_Node_Type.node_prev node) c d) }; + _22 <- ([#"../src/lib.rs" 375 19 375 38] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + goto BB6 + } + BB6 { + switch (_22) + | False -> goto BB9 + | True -> goto BB7 + end + } + BB7 { + _24 <- ([#"../src/lib.rs" 376 32 376 43] Null0.null ()); + goto BB8 + } + BB8 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList _24 b c d) }; + _24 <- any opaque_ptr; + _21 <- (); + goto BB12 + } + BB9 { + assert { [@expl:assertion] [#"../src/lib.rs" 378 34 378 53] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) > 1 }; + assert { [@expl:assertion] [#"../src/lib.rs" 379 20 379 106] Subset0.subset (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner self_ghost_old))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 380 34 380 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + assert { [@expl:assertion] [#"../src/lib.rs" 381 20 381 102] Contains0.contains (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 382 34 382 77] CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self) = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 2) }; + _36 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _36)) }; + assume { Inv1.inv ( ^ _36) }; + new_tail <- ([#"../src/lib.rs" 383 35 383 67] PtrAsMut0.ptr_as_mut _36 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _36 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB10 + } + BB10 { + _38 <- ([#"../src/lib.rs" 384 36 384 47] Null0.null ()); + goto BB11 + } + BB11 { + new_tail <- { new_tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * new_tail in CargoDir_LinkedList_Node_Type.C_Node a _38 c) }; + _38 <- any opaque_ptr; + assume { Resolve2.resolve (CargoDir_LinkedList_Node_Type.node_next ( * new_tail)) }; + assert { [@expl:type invariant] Inv2.inv new_tail }; + assume { Resolve3.resolve new_tail }; + _21 <- (); + goto BB12 + } + BB12 { + _39 <- ([#"../src/lib.rs" 386 28 386 78] Ghost.new (SeqExt.subsequence (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) 0 (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) - 1))); + goto BB13 + } + BB13 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _39 d) }; + _39 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve4.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve5.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 387 16 387 129] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) -> WfToken0.wf_token (Ghost.inner self_ghost_old) i -> WfToken0.wf_token ( * self) i }; + _0 <- CargoDir_LinkedList_Node_Type.node_data node; + node <- (let CargoDir_LinkedList_Node_Type.C_Node a b c = node in CargoDir_LinkedList_Node_Type.C_Node (any t) b c); + assert { [@expl:type invariant] Inv4.inv node }; + assume { Resolve6.resolve node }; + goto BB14 + } + BB14 { + return _0 + } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint_Interface + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Disjoint + type k + type v + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = k + function disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + + = + [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 98 8 98 72] forall k : k . Inv0.inv k -> not Contains0.contains self k \/ not Contains0.contains other k + val disjoint (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : bool + ensures { result = disjoint self other } + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Stub + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + +end +module CreusotContracts_Logic_Fmap_Impl0_Union_Interface + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_Logic_Fmap_Impl0_Union + type k + type v + use prelude.Int + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = k, + type v = v, + predicate Inv0.inv = Inv0.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = k, + type v = v + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = k, + type v = v + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = k + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = k, + type v = v + function union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + + val union (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) (other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other} + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get result k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + ) } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len result = Len0.len self + Len0.len other } + ensures { [#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv result } + ensures { result = union self other } + + axiom union_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v, other : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap k v . ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 110 15 110 35] Disjoint0.disjoint self other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 17 119 21] Inv0.inv self) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 23 119 28] Inv0.inv other) -> ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 119 4 119 43] Inv0.inv (union self other)) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 118 14 118 54] Len0.len (union self other) = Len0.len self + Len0.len other) && ([#"../../../../creusot/creusot-contracts/src/logic/fmap.rs" 111 4 117 7] forall k : k . Inv1.inv k -> Get0.get (union self other) k = (if Contains0.contains self k then + Get0.get self k + else + if Contains0.contains other k then Get0.get other k else Core_Option_Option_Type.C_None + )) +end +module CreusotContracts_GhostPtr_Impl1_Merge_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv2 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + clone CreusotContracts_Logic_Fmap_Impl0_Len_Stub as Len0 with + type k = opaque_ptr, + type v = t, + predicate Inv0.inv = Inv2.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Get_Stub as Get0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv3 with + type t = opaque_ptr + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint_Stub as Disjoint0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Logic_Fmap_Impl0_Union_Stub as Union0 with + type k = opaque_ptr, + type v = t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv2.inv, + predicate Inv1.inv = Inv3.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) + val merge (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t)) (_other : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) : () + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 22 117 26] Inv0.inv self} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 117 28 117 34] Inv1.inv _other} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 113 4 113 42] Disjoint0.disjoint (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 116 14 116 49] ShallowModel0.shallow_model ( ^ self) = Union0.union (ShallowModel0.shallow_model ( * self)) (ShallowModel0.shallow_model _other) } + +end +module CargoDir_LinkedList_Impl0_Append_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val append [#"../src/lib.rs" 396 8 396 49] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv0.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv1.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + +end +module CargoDir_LinkedList_Impl0_Append + type t + use prelude.Ghost + use prelude.Borrow + use seq.Seq + use prelude.Opaque + use prelude.Int + use map.Map + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv12.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial10 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial9 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial8 with + type t = opaque_ptr, + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv7.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv6.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone TyInv_Trivial as TyInv_Trivial6 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use seq.Seq + use prelude.Ghost + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = borrowed (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Len_Interface as Len0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Util_Impl0_MakeSized_Interface as MakeSized0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Insert_Interface as Insert0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + predicate Inv2.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv3.inv = Inv10.inv, + predicate Inv4.inv = Inv11.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv12.inv, + predicate Inv1.inv = Inv11.inv + clone CreusotContracts_Model_Impl7_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Logic_Fmap_Impl0_Subset as Subset0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains, + function Get0.get = Get0.get + clone CreusotContracts_Logic_Fmap_Impl0_Disjoint as Disjoint0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv8.inv, + function Contains0.contains = Contains0.contains + clone CreusotContracts_Logic_Fmap_Impl0_Union_Interface as Union0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Disjoint0.disjoint = Disjoint0.disjoint, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len, + axiom . + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve6 with + type self = Ghost.ghost_ty (Seq.seq opaque_ptr) + clone CreusotContracts_GhostPtr_Impl1_Merge_Interface as Merge0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + predicate Inv1.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Disjoint0.disjoint = Disjoint0.disjoint, + function Union0.union = Union0.union, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + function Get0.get = Get0.get, + function Contains0.contains = Contains0.contains, + function Len0.len = Len0.len + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve5 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve4 with + type self = opaque_ptr + clone CreusotContracts_GhostPtr_Impl1_PtrAsMut_Interface as PtrAsMut0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv7.inv, + function ShallowModel1.shallow_model = ShallowModel0.shallow_model, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + function Insert0.insert = Insert0.insert, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + predicate Inv3.inv = Inv8.inv, + predicate Inv4.inv = Inv9.inv, + function View0.view = View0.view, + function MakeSized0.make_sized = MakeSized0.make_sized, + function Len0.len = Len0.len, + function Mk0.mk = Mk0.mk, + predicate Inv5.inv = Inv10.inv, + predicate Inv6.inv = Inv11.inv + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve3 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv4.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) + let rec cfg append [#"../src/lib.rs" 396 8 396 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : () + requires {[#"../src/lib.rs" 392 19 392 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 393 19 393 36] Invariant0.invariant' other} + requires {[#"../src/lib.rs" 396 27 396 31] Inv3.inv self} + requires {[#"../src/lib.rs" 396 37 396 42] Inv2.inv other} + ensures { [#"../src/lib.rs" 394 18 394 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 395 18 395 79] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Model0.model other)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var other : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = other; + var old_self : Ghost.ghost_ty (borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)); + var old_other : Ghost.ghost_ty (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : bool; + var _15 : bool; + var tail : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _18 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var head : borrowed (CargoDir_LinkedList_Node_Type.t_node t); + var _22 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _25 : (); + var _26 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + var _29 : Ghost.ghost_ty (Seq.seq opaque_ptr); + { + goto BB0 + } + BB0 { + old_self <- ([#"../src/lib.rs" 397 27 397 36] Ghost.new self); + goto BB1 + } + BB1 { + assert { [@expl:type invariant] Inv0.inv old_self }; + assume { Resolve0.resolve old_self }; + old_other <- ([#"../src/lib.rs" 398 28 398 38] Ghost.new other); + goto BB2 + } + BB2 { + assert { [@expl:type invariant] Inv1.inv old_other }; + assume { Resolve1.resolve old_other }; + _11 <- ([#"../src/lib.rs" 399 15 399 34] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head ( * self))); + goto BB3 + } + BB3 { + switch (_11) + | False -> goto BB5 + | True -> goto BB4 + end + } + BB4 { + self <- { self with current = other }; + other <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + assert { [@expl:type invariant] Inv2.inv ( * self) }; + assume { Resolve2.resolve ( * self) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB14 + } + BB5 { + _15 <- ([#"../src/lib.rs" 401 23 401 43] IsNull0.is_null (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + goto BB6 + } + BB6 { + switch (not _15) + | False -> goto BB12 + | True -> goto BB7 + end + } + BB7 { + _18 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _18)) }; + assume { Inv4.inv ( ^ _18) }; + tail <- ([#"../src/lib.rs" 402 27 402 59] PtrAsMut0.ptr_as_mut _18 (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))); + _18 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB8 + } + BB8 { + tail <- { tail with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * tail in CargoDir_LinkedList_Node_Type.C_Node a (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other) c) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_next ( * tail)) }; + assert { [@expl:type invariant] Inv5.inv tail }; + assume { Resolve5.resolve tail }; + _22 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _22)); + assume { Inv4.inv ( ^ _22) }; + head <- ([#"../src/lib.rs" 404 27 404 61] PtrAsMut0.ptr_as_mut _22 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head other)); + _22 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + goto BB9 + } + BB9 { + head <- { head with current = (let CargoDir_LinkedList_Node_Type.C_Node a b c = * head in CargoDir_LinkedList_Node_Type.C_Node a b (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail ( * self))) }; + assume { Resolve4.resolve (CargoDir_LinkedList_Node_Type.node_prev ( * head)) }; + assert { [@expl:type invariant] Inv5.inv head }; + assume { Resolve5.resolve head }; + _26 <- Borrow.borrow_mut (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self)); + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c ( ^ _26)) }; + assume { Inv4.inv ( ^ _26) }; + _25 <- ([#"../src/lib.rs" 407 16 407 45] Merge0.merge _26 (CargoDir_LinkedList_LinkedList_Type.linkedlist_token other)); + _26 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t)); + other <- (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = other in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c (any CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t))); + goto BB10 + } + BB10 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a (CargoDir_LinkedList_LinkedList_Type.linkedlist_tail other) c d) }; + _29 <- ([#"../src/lib.rs" 409 28 409 62] Ghost.new (Seq.(++) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self))) (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs other)))); + goto BB11 + } + BB11 { + self <- { self with current = (let CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b c d = * self in CargoDir_LinkedList_LinkedList_Type.C_LinkedList a b _29 d) }; + _29 <- any Ghost.ghost_ty (Seq.seq opaque_ptr); + assume { Resolve6.resolve (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * self)) }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + assert { [@expl:assertion] [#"../src/lib.rs" 410 16 410 116] forall b : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . forall a : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) . Inv6.inv b -> Inv6.inv a -> Disjoint0.disjoint a b -> Subset0.subset a (Union0.union a b) }; + assert { [@expl:assertion] [#"../src/lib.rs" 412 16 414 72] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 415 16 417 73] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) = Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) i) }; + assert { [@expl:assertion] [#"../src/lib.rs" 418 30 419 102] CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) = CargoDir_LinkedList_Node_Type.node_prev (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * Ghost.inner old_self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 420 30 421 82] CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token ( * self))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) = CargoDir_LinkedList_Node_Type.node_next (Lookup0.lookup (ShallowModel0.shallow_model (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (Ghost.inner old_other))) (IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other)) 0)) }; + assert { [@expl:assertion] [#"../src/lib.rs" 422 30 422 68] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1) }; + assert { [@expl:assertion] [#"../src/lib.rs" 423 30 423 64] WfToken0.wf_token ( * self) (Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + assert { [@expl:assertion] [#"../src/lib.rs" 425 16 425 131] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self))) - 1 -> WfToken0.wf_token ( * Ghost.inner old_self) i -> WfToken0.wf_token ( * self) i }; + assert { [@expl:assertion] [#"../src/lib.rs" 426 16 426 151] forall i : int . 1 <= i /\ i < Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (Ghost.inner old_other))) -> WfToken0.wf_token (Ghost.inner old_other) i -> WfToken0.wf_token ( * self) (i + Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs ( * Ghost.inner old_self)))) }; + _0 <- (); + goto BB13 + } + BB12 { + assert { [@expl:type invariant] Inv2.inv other }; + assume { Resolve2.resolve other }; + assert { [@expl:type invariant] Inv3.inv self }; + assume { Resolve3.resolve self }; + _0 <- (); + goto BB13 + } + BB13 { + goto BB14 + } + BB14 { + return _0 + } + +end +module CargoDir_LinkedList_Impl0_PushBack_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_back [#"../src/lib.rs" 433 8 433 43] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv0.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv1.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + +end +module CargoDir_LinkedList_Impl0_PushBack + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_back [#"../src/lib.rs" 433 8 433 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 430 19 430 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 433 30 433 34] Inv1.inv self} + requires {[#"../src/lib.rs" 433 36 433 39] Inv2.inv val'} + ensures { [#"../src/lib.rs" 431 18 431 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 432 18 432 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Model0.model ( * self)) (Seq.singleton val')) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _7 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + _6 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _6) }; + assume { Inv0.inv ( ^ _6) }; + _7 <- ([#"../src/lib.rs" 434 24 434 44] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _0 <- ([#"../src/lib.rs" 434 12 434 45] Append0.append _6 _7); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _7 <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + goto BB4 + } + BB4 { + return _0 + } + +end +module Core_Mem_Swap_Interface + type t + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed t + val swap (x : borrowed t) (y : borrowed t) : () + requires {Inv0.inv x} + requires {Inv0.inv y} + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } + ensures { [#"../../../../creusot/creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } + +end +module CargoDir_LinkedList_Impl0_PushFront_Interface + type t + use prelude.Borrow + use seq.Seq + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val push_front [#"../src/lib.rs" 440 8 440 44] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv0.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv1.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + +end +module CargoDir_LinkedList_Impl0_PushFront + type t + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl0_Append_Interface as Append0 with + type t = t, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv0.inv, + function Model0.model = Model0.model + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone Core_Mem_Swap_Interface as Swap0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv + clone CargoDir_LinkedList_Impl0_Singleton_Interface as Singleton0 with + type t = t, + predicate Inv0.inv = Inv2.inv, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv1.inv = Inv0.inv + let rec cfg push_front [#"../src/lib.rs" 440 8 440 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t)) (val' : t) : () + requires {[#"../src/lib.rs" 437 19 437 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 440 31 440 35] Inv1.inv self} + requires {[#"../src/lib.rs" 440 37 440 40] Inv2.inv val'} + ensures { [#"../src/lib.rs" 438 18 438 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 439 18 439 85] Seq.(==) (Model0.model ( ^ self)) (Seq.(++) (Seq.singleton val') (Model0.model ( * self))) } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var self : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) = self; + var val' : t = val'; + var this : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : (); + var _9 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _11 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + var _12 : (); + var _13 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + { + goto BB0 + } + BB0 { + goto BB1 + } + BB1 { + this <- ([#"../src/lib.rs" 441 27 441 47] Singleton0.singleton val'); + val' <- any t; + goto BB2 + } + BB2 { + _9 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _9) }; + assume { Inv0.inv ( ^ _9) }; + _11 <- Borrow.borrow_mut this; + this <- ^ _11; + assume { Inv0.inv ( ^ _11) }; + _10 <- Borrow.borrow_mut ( * _11); + _11 <- { _11 with current = ( ^ _10) }; + assume { Inv0.inv ( ^ _10) }; + _8 <- ([#"../src/lib.rs" 442 12 442 43] Swap0.swap _9 _10); + _9 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + goto BB3 + } + BB3 { + assert { [@expl:type invariant] Inv1.inv _11 }; + assume { Resolve0.resolve _11 }; + _13 <- Borrow.borrow_mut ( * self); + self <- { self with current = ( ^ _13) }; + assume { Inv0.inv ( ^ _13) }; + _12 <- ([#"../src/lib.rs" 443 12 443 29] Append0.append _13 this); + _13 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist t); + this <- any CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + goto BB4 + } + BB4 { + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve0.resolve self }; + _0 <- (); + goto BB5 + } + BB5 { + return _0 + } + +end +module CargoDir_LinkedList_Iter_Type + use prelude.Borrow + use prelude.Opaque + use prelude.Ghost + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + type t_iter 't = + | C_Iter (CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't) opaque_ptr (Ghost.ghost_ty int) + + let function iter_curr (self : t_iter 't) : opaque_ptr = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ a _ -> a + end + let function iter_l (self : t_iter 't) : CargoDir_LinkedList_LinkedList_Type.t_linkedlist 't + = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter a _ _ -> a + end + let function iter_index (self : t_iter 't) : Ghost.ghost_ty int = [@vc:do_not_keep_trace] [@vc:sp] + match (self) with + | C_Iter _ _ a -> a + end +end +module CargoDir_LinkedList_Impl1_Invariant_Stub + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) +end +module CargoDir_LinkedList_Impl1_Invariant_Interface + type t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl1_Invariant + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Opaque + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Stub as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic_Stub as IndexLogic0 with + type t = opaque_ptr + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Stub as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv0.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + predicate invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) = + [#"../src/lib.rs" 470 12 480 13] if CargoDir_LinkedList_Iter_Type.iter_curr self <> NullLogic0.null_logic () then + Invariant0.invariant' (CargoDir_LinkedList_Iter_Type.iter_l self) /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) < Seq.length (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l self)) /\ CargoDir_LinkedList_Iter_Type.iter_curr self = IndexLogic0.index_logic (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self)) /\ Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs (CargoDir_LinkedList_Iter_Type.iter_l self))) > 0 /\ Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index self) >= 0 + else + true + + val invariant' [#"../src/lib.rs" 469 8 469 38] (self : CargoDir_LinkedList_Iter_Type.t_iter t) : bool + ensures { result = invariant' self } + +end +module CargoDir_LinkedList_Impl0_Iter_Interface + type t + use prelude.Ghost + use seq.Seq + use prelude.Int + use prelude.Borrow + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant1 with + type t = t + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CargoDir_LinkedList_Impl0_Invariant_Stub as Invariant0 with + type t = t + val iter [#"../src/lib.rs" 451 8 451 41] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv0.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl0_Iter + type t + use prelude.Ghost + use prelude.Int + use prelude.Borrow + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + axiom . + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial5 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv5.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv4.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv5.inv + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv6.inv, + predicate Inv1.inv = Inv7.inv + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial3 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant0 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CargoDir_LinkedList_Impl1_Invariant as Invariant1 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv3.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve1 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = CargoDir_LinkedList_LinkedList_Type.t_linkedlist t + let rec cfg iter [#"../src/lib.rs" 451 8 451 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t) : CargoDir_LinkedList_Iter_Type.t_iter t + requires {[#"../src/lib.rs" 446 19 446 38] Invariant0.invariant' self} + requires {[#"../src/lib.rs" 447 19 447 38] Seq.length (Ghost.inner (CargoDir_LinkedList_LinkedList_Type.linkedlist_ptrs self)) > 0} + requires {[#"../src/lib.rs" 451 21 451 25] Inv1.inv self} + ensures { [#"../src/lib.rs" 448 18 448 36] Invariant1.invariant' result } + ensures { [#"../src/lib.rs" 451 30 451 41] Inv2.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : CargoDir_LinkedList_Iter_Type.t_iter t; + var self : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t = self; + var _6 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist t; + var _8 : Ghost.ghost_ty int; + { + goto BB0 + } + BB0 { + _6 <- self; + assert { [@expl:type invariant] Inv0.inv _6 }; + assume { Resolve0.resolve _6 }; + assert { [@expl:type invariant] Inv1.inv self }; + assume { Resolve1.resolve self }; + _8 <- ([#"../src/lib.rs" 455 23 455 29] Ghost.new 0); + goto BB1 + } + BB1 { + _0 <- CargoDir_LinkedList_Iter_Type.C_Iter _6 (CargoDir_LinkedList_LinkedList_Type.linkedlist_head self) _8; + _8 <- any Ghost.ghost_ty int; + return _0 + } + +end +module CreusotContracts_Model_Impl5_ShallowModel_Stub + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy +end +module CreusotContracts_Model_Impl5_ShallowModel_Interface + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_Model_Impl5_ShallowModel + type t + use prelude.Borrow + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = t, + type ShallowModelTy0.shallowModelTy = ShallowModelTy0.shallowModelTy + function shallow_model (self : t) : ShallowModelTy0.shallowModelTy = + [#"../../../../creusot/creusot-contracts/src/model.rs" 83 8 83 31] ShallowModel0.shallow_model self + val shallow_model (self : t) : ShallowModelTy0.shallowModelTy + ensures { result = shallow_model self } + +end +module CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface + type t + use prelude.Borrow + use prelude.Opaque + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = t + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized_Stub as LookupUnsized0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t + clone CreusotContracts_Logic_Fmap_Impl0_Contains_Stub as Contains0 with + type k = opaque_ptr, + type v = t + clone CreusotContracts_Model_Impl5_ShallowModel_Stub as ShallowModel0 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t, + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr t + val ptr_as_ref (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken t) (ptr : opaque_ptr) : t + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 65 4 65 36] Contains0.contains (ShallowModel0.shallow_model self) ptr} + requires {[#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 23 67 27] Inv0.inv self} + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 66 14 66 51] result = LookupUnsized0.lookup_unsized (ShallowModel0.shallow_model self) ptr } + ensures { [#"../../../../creusot/creusot-contracts/src/ghost_ptr.rs" 67 4 67 49] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next_Interface + type t + use prelude.Borrow + use prelude.Ghost + use seq.Seq + use prelude.Int + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + use Core_Option_Option_Type as Core_Option_Option_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv1 with + type t = Core_Option_Option_Type.t_option t + clone CargoDir_LinkedList_Impl0_Model_Stub as Model0 with + type t = t + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Stub as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone CargoDir_LinkedList_Impl1_Invariant_Stub as Invariant0 with + type t = t + val next [#"../src/lib.rs" 505 8 505 47] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv1.inv result } + +end +module CargoDir_LinkedList_Impl1_Next + type t + use prelude.Borrow + use prelude.Ghost + use prelude.Int + use seq.Seq + use map.Map + use prelude.Opaque + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use CargoDir_LinkedList_Node_Type as CargoDir_LinkedList_Node_Type + use Core_Option_Option_Type as Core_Option_Option_Type + use map.Map + clone CreusotContracts_Invariant_Inv_Interface as Inv12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial12 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv12.inv, + axiom . + use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial11 with + type t = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv11.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv10 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial10 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv10.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial9 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv9.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Mk_Interface as Mk0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_View_Interface as View0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv, + axiom . + clone CreusotContracts_Util_Unwrap_Interface as Unwrap0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv, + axiom . + use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial8 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv8.inv, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_Get as Get0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function View0.view = View0.view, + predicate Inv0.inv = Inv11.inv, + function Mk0.mk = Mk0.mk, + predicate Inv1.inv = Inv12.inv + clone CreusotContracts_Invariant_Inv_Interface as Inv7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial7 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv7.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t) + clone TyInv_Trivial as TyInv_Trivial6 with + type t = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv6.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv5 with + type t = opaque_ptr + clone TyInv_Trivial as TyInv_Trivial5 with + type t = opaque_ptr, + predicate Inv0.inv = Inv5.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)) + clone TyInv_Trivial as TyInv_Trivial4 with + type t = Map.map opaque_ptr (Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t)), + predicate Inv0.inv = Inv4.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv3 with + type t = Core_Option_Option_Type.t_option t + clone TyInv_Trivial as TyInv_Trivial3 with + type t = Core_Option_Option_Type.t_option t, + predicate Inv0.inv = Inv3.inv, + axiom . + clone CreusotContracts_GhostPtr_Impl2_AddrLogic_Interface as AddrLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Fmap_Impl0_Contains as Contains0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get + clone CreusotContracts_GhostPtr_Impl0_ShallowModel_Interface as ShallowModel0 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Logic_Ops_Impl6_IndexLogic as IndexLogic0 with + type t = opaque_ptr + clone CreusotContracts_GhostPtr_Impl2_NullLogic_Interface as NullLogic0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CargoDir_LinkedList_Impl0_NextOf as NextOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CargoDir_LinkedList_Impl0_PrevOf as PrevOf0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic, + axiom . + clone CreusotContracts_Logic_Fmap_Impl0_LookupUnsized as LookupUnsized0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function Get0.get = Get0.get, + function Unwrap0.unwrap = Unwrap0.unwrap, + predicate Inv0.inv = Inv9.inv, + predicate Inv1.inv = Inv10.inv + clone CreusotContracts_Logic_Fmap_Impl0_Lookup as Lookup0 with + type k = opaque_ptr, + type v = CargoDir_LinkedList_Node_Type.t_node t, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized + clone CargoDir_LinkedList_Impl0_WfToken as WfToken0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Contains0.contains = Contains0.contains, + function Lookup0.lookup = Lookup0.lookup, + function PrevOf0.prev_of = PrevOf0.prev_of, + function NextOf0.next_of = NextOf0.next_of, + axiom . + clone CargoDir_LinkedList_Impl0_Invariant as Invariant1 with + type t = t, + predicate WfToken0.wf_token = WfToken0.wf_token, + function NullLogic0.null_logic = NullLogic0.null_logic, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = t + clone TyInv_Trivial as TyInv_Trivial2 with + type t = t, + predicate Inv0.inv = Inv2.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = CargoDir_LinkedList_Node_Type.t_node t + clone TyInv_Trivial as TyInv_Trivial1 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + predicate Inv0.inv = Inv1.inv, + axiom . + use CargoDir_LinkedList_Iter_Type as CargoDir_LinkedList_Iter_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) + clone TyInv_Trivial as TyInv_Trivial0 with + type t = borrowed (CargoDir_LinkedList_Iter_Type.t_iter t), + predicate Inv0.inv = Inv0.inv, + axiom . + clone CreusotContracts_Model_Impl5_ShallowModel as ShallowModel1 with + type t = CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken (CargoDir_LinkedList_Node_Type.t_node t), + type ShallowModelTy0.shallowModelTy = CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr (CargoDir_LinkedList_Node_Type.t_node t), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model + clone CargoDir_LinkedList_Impl0_Model as Model0 with + type t = t, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + function Lookup0.lookup = Lookup0.lookup + clone CargoDir_LinkedList_Impl1_Invariant as Invariant0 with + type t = t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Invariant0.invariant' = Invariant1.invariant', + function Model0.model = Model0.model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve3 with + type self = t + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve2 with + type self = CargoDir_LinkedList_Node_Type.t_node t + clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with + type t = CargoDir_LinkedList_Iter_Type.t_iter t + clone CreusotContracts_GhostPtr_Impl1_PtrAsRef_Interface as PtrAsRef0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function Contains0.contains = Contains0.contains, + predicate Inv0.inv = Inv8.inv, + function LookupUnsized0.lookup_unsized = LookupUnsized0.lookup_unsized, + predicate Inv1.inv = Inv1.inv + clone Core_Ptr_ConstPtr_Impl0_IsNull_Interface as IsNull0 with + type t = CargoDir_LinkedList_Node_Type.t_node t, + function NullLogic0.null_logic = NullLogic0.null_logic, + predicate Inv0.inv = Inv7.inv, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function Contains0.contains = Contains0.contains, + function AddrLogic0.addr_logic = AddrLogic0.addr_logic + clone CreusotContracts_Resolve_Resolve_Resolve_Interface as Resolve0 with + type self = () + clone CargoDir_Lemmas_MapSetCommute_Interface as MapSetCommute0 with + type k = opaque_ptr, + type v = Core_Option_Option_Type.t_option (CargoDir_LinkedList_Node_Type.t_node t), + predicate Inv0.inv = Inv4.inv, + predicate Inv1.inv = Inv5.inv, + predicate Inv2.inv = Inv6.inv, + axiom . + let rec cfg next [#"../src/lib.rs" 505 8 505 47] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t)) : Core_Option_Option_Type.t_option t + requires {[#"../src/lib.rs" 495 19 495 38] Invariant0.invariant' ( * self)} + requires {[#"../src/lib.rs" 505 25 505 29] Inv0.inv self} + ensures { [#"../src/lib.rs" 496 18 496 37] Invariant0.invariant' ( ^ self) } + ensures { [#"../src/lib.rs" 497 18 500 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> val' = Seq.get (Model0.model (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 501 18 504 9] match (result) with + | Core_Option_Option_Type.C_Some val' -> Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( ^ self)) = Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1 + | Core_Option_Option_Type.C_None -> true + end } + ensures { [#"../src/lib.rs" 505 34 505 47] Inv3.inv result } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Core_Option_Option_Type.t_option t; + var self : borrowed (CargoDir_LinkedList_Iter_Type.t_iter t) = self; + var _6 : (); + var _8 : bool; + var node : CargoDir_LinkedList_Node_Type.t_node t; + var _17 : Ghost.ghost_ty int; + var _20 : t; + { + goto BB0 + } + BB0 { + _6 <- ([#"../src/lib.rs" 506 12 506 62] ()); + assume { Resolve0.resolve _6 }; + _8 <- ([#"../src/lib.rs" 507 15 507 34] IsNull0.is_null (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB1 + } + BB1 { + switch (_8) + | False -> goto BB3 + | True -> goto BB2 + end + } + BB2 { + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _0 <- Core_Option_Option_Type.C_None; + goto BB6 + } + BB3 { + assert { [@expl:assertion] [#"../src/lib.rs" 511 12 511 55] WfToken0.wf_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self)) (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self))) }; + node <- ([#"../src/lib.rs" 512 23 512 57] PtrAsRef0.ptr_as_ref (CargoDir_LinkedList_LinkedList_Type.linkedlist_token (CargoDir_LinkedList_Iter_Type.iter_l ( * self))) (CargoDir_LinkedList_Iter_Type.iter_curr ( * self))); + goto BB4 + } + BB4 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a (CargoDir_LinkedList_Node_Type.node_next node) c) }; + _17 <- ([#"../src/lib.rs" 514 25 514 45] Ghost.new (Ghost.inner (CargoDir_LinkedList_Iter_Type.iter_index ( * self)) + 1)); + goto BB5 + } + BB5 { + self <- { self with current = (let CargoDir_LinkedList_Iter_Type.C_Iter a b c = * self in CargoDir_LinkedList_Iter_Type.C_Iter a b _17) }; + _17 <- any Ghost.ghost_ty int; + assert { [@expl:type invariant] Inv0.inv self }; + assume { Resolve1.resolve self }; + _20 <- CargoDir_LinkedList_Node_Type.node_data node; + assert { [@expl:type invariant] Inv1.inv node }; + assume { Resolve2.resolve node }; + assert { [@expl:type invariant] Inv2.inv _20 }; + assume { Resolve3.resolve _20 }; + _0 <- Core_Option_Option_Type.C_Some _20; + goto BB6 + } + BB6 { + return _0 + } + +end +module CargoDir_Main_Main_Interface + val main [#"../src/lib.rs" 524 4 524 13] (_1 : ()) : () +end +module CargoDir_Main_Main + use prelude.Int + use prelude.Int32 + use prelude.Borrow + clone CreusotContracts_Invariant_Inv_Interface as Inv2 with + type t = int32 + clone TyInv_Trivial as TyInv_Trivial2 with + type t = int32, + predicate Inv0.inv = Inv2.inv, + axiom . + use CargoDir_LinkedList_LinkedList_Type as CargoDir_LinkedList_LinkedList_Type + clone CreusotContracts_Invariant_Inv_Interface as Inv1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32) + clone TyInv_Trivial as TyInv_Trivial1 with + type t = borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32), + predicate Inv0.inv = Inv1.inv, + axiom . + clone CreusotContracts_Invariant_Inv_Interface as Inv0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32 + clone TyInv_Trivial as TyInv_Trivial0 with + type t = CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32, + predicate Inv0.inv = Inv0.inv, + axiom . + clone CargoDir_LinkedList_Impl0_Model_Interface as Model0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_Invariant_Interface as Invariant0 with + type t = int32 + clone CargoDir_LinkedList_Impl0_PushBack_Interface as PushBack0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + predicate Inv0.inv = Inv1.inv, + predicate Inv1.inv = Inv2.inv, + function Model0.model = Model0.model + clone CargoDir_LinkedList_Impl0_New_Interface as New0 with + type t = int32, + predicate Invariant0.invariant' = Invariant0.invariant', + function Model0.model = Model0.model, + predicate Inv0.inv = Inv0.inv + let rec cfg main [#"../src/lib.rs" 524 4 524 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : (); + var l1 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l2 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l3 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var l4 : CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32; + var _5 : (); + var _6 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _7 : (); + var _8 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _9 : (); + var _10 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _11 : (); + var _12 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _13 : (); + var _14 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _15 : (); + var _16 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _17 : (); + var _18 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _19 : (); + var _20 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _21 : (); + var _22 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _23 : (); + var _24 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _25 : (); + var _26 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _27 : (); + var _28 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _29 : (); + var _30 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _31 : (); + var _32 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _33 : (); + var _34 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _35 : (); + var _36 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _37 : (); + var _38 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _39 : (); + var _40 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _41 : (); + var _42 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _43 : (); + var _44 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _45 : (); + var _46 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _47 : (); + var _48 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _49 : (); + var _50 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _51 : (); + var _52 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _53 : (); + var _54 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _55 : (); + var _56 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _57 : (); + var _58 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _59 : (); + var _60 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _61 : (); + var _62 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _63 : (); + var _64 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _65 : (); + var _66 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _67 : (); + var _68 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _69 : (); + var _70 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _71 : (); + var _72 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _73 : (); + var _74 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _75 : (); + var _76 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _77 : (); + var _78 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _79 : (); + var _80 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _81 : (); + var _82 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _83 : (); + var _84 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _85 : (); + var _86 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _87 : (); + var _88 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _89 : (); + var _90 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _91 : (); + var _92 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _93 : (); + var _94 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _95 : (); + var _96 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _97 : (); + var _98 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _99 : (); + var _100 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _101 : (); + var _102 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _103 : (); + var _104 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _105 : (); + var _106 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _107 : (); + var _108 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _109 : (); + var _110 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _111 : (); + var _112 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _113 : (); + var _114 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _115 : (); + var _116 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _117 : (); + var _118 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _119 : (); + var _120 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _121 : (); + var _122 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _123 : (); + var _124 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _125 : (); + var _126 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _127 : (); + var _128 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _129 : (); + var _130 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + var _131 : (); + var _132 : borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + { + goto BB0 + } + BB0 { + l1 <- ([#"../src/lib.rs" 525 21 525 38] New0.new ()); + goto BB1 + } + BB1 { + l2 <- ([#"../src/lib.rs" 526 21 526 38] New0.new ()); + goto BB2 + } + BB2 { + l3 <- ([#"../src/lib.rs" 527 21 527 38] New0.new ()); + goto BB3 + } + BB3 { + l4 <- ([#"../src/lib.rs" 528 21 528 38] New0.new ()); + goto BB4 + } + BB4 { + _6 <- Borrow.borrow_mut l1; + l1 <- ^ _6; + _5 <- ([#"../src/lib.rs" 530 4 530 19] PushBack0.push_back _6 ([#"../src/lib.rs" 530 17 530 18] (0 : int32))); + _6 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB5 + } + BB5 { + _8 <- Borrow.borrow_mut l2; + l2 <- ^ _8; + _7 <- ([#"../src/lib.rs" 531 4 531 19] PushBack0.push_back _8 ([#"../src/lib.rs" 531 17 531 18] (0 : int32))); + _8 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB6 + } + BB6 { + _10 <- Borrow.borrow_mut l3; + l3 <- ^ _10; + _9 <- ([#"../src/lib.rs" 532 4 532 19] PushBack0.push_back _10 ([#"../src/lib.rs" 532 17 532 18] (0 : int32))); + _10 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB7 + } + BB7 { + _12 <- Borrow.borrow_mut l4; + l4 <- ^ _12; + _11 <- ([#"../src/lib.rs" 533 4 533 19] PushBack0.push_back _12 ([#"../src/lib.rs" 533 17 533 18] (0 : int32))); + _12 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB8 + } + BB8 { + _14 <- Borrow.borrow_mut l1; + l1 <- ^ _14; + _13 <- ([#"../src/lib.rs" 535 4 535 19] PushBack0.push_back _14 ([#"../src/lib.rs" 535 17 535 18] (1 : int32))); + _14 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB9 + } + BB9 { + _16 <- Borrow.borrow_mut l2; + l2 <- ^ _16; + _15 <- ([#"../src/lib.rs" 536 4 536 19] PushBack0.push_back _16 ([#"../src/lib.rs" 536 17 536 18] (1 : int32))); + _16 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB10 + } + BB10 { + _18 <- Borrow.borrow_mut l3; + l3 <- ^ _18; + _17 <- ([#"../src/lib.rs" 537 4 537 19] PushBack0.push_back _18 ([#"../src/lib.rs" 537 17 537 18] (1 : int32))); + _18 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB11 + } + BB11 { + _20 <- Borrow.borrow_mut l4; + l4 <- ^ _20; + _19 <- ([#"../src/lib.rs" 538 4 538 19] PushBack0.push_back _20 ([#"../src/lib.rs" 538 17 538 18] (1 : int32))); + _20 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB12 + } + BB12 { + _22 <- Borrow.borrow_mut l1; + l1 <- ^ _22; + _21 <- ([#"../src/lib.rs" 540 4 540 19] PushBack0.push_back _22 ([#"../src/lib.rs" 540 17 540 18] (2 : int32))); + _22 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB13 + } + BB13 { + _24 <- Borrow.borrow_mut l2; + l2 <- ^ _24; + _23 <- ([#"../src/lib.rs" 541 4 541 19] PushBack0.push_back _24 ([#"../src/lib.rs" 541 17 541 18] (2 : int32))); + _24 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB14 + } + BB14 { + _26 <- Borrow.borrow_mut l3; + l3 <- ^ _26; + _25 <- ([#"../src/lib.rs" 542 4 542 19] PushBack0.push_back _26 ([#"../src/lib.rs" 542 17 542 18] (2 : int32))); + _26 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB15 + } + BB15 { + _28 <- Borrow.borrow_mut l4; + l4 <- ^ _28; + _27 <- ([#"../src/lib.rs" 543 4 543 19] PushBack0.push_back _28 ([#"../src/lib.rs" 543 17 543 18] (2 : int32))); + _28 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB16 + } + BB16 { + _30 <- Borrow.borrow_mut l1; + l1 <- ^ _30; + _29 <- ([#"../src/lib.rs" 545 4 545 19] PushBack0.push_back _30 ([#"../src/lib.rs" 545 17 545 18] (3 : int32))); + _30 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB17 + } + BB17 { + _32 <- Borrow.borrow_mut l2; + l2 <- ^ _32; + _31 <- ([#"../src/lib.rs" 546 4 546 19] PushBack0.push_back _32 ([#"../src/lib.rs" 546 17 546 18] (3 : int32))); + _32 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB18 + } + BB18 { + _34 <- Borrow.borrow_mut l3; + l3 <- ^ _34; + _33 <- ([#"../src/lib.rs" 547 4 547 19] PushBack0.push_back _34 ([#"../src/lib.rs" 547 17 547 18] (3 : int32))); + _34 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB19 + } + BB19 { + _36 <- Borrow.borrow_mut l4; + l4 <- ^ _36; + _35 <- ([#"../src/lib.rs" 548 4 548 19] PushBack0.push_back _36 ([#"../src/lib.rs" 548 17 548 18] (3 : int32))); + _36 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB20 + } + BB20 { + _38 <- Borrow.borrow_mut l1; + l1 <- ^ _38; + _37 <- ([#"../src/lib.rs" 550 4 550 19] PushBack0.push_back _38 ([#"../src/lib.rs" 550 17 550 18] (4 : int32))); + _38 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB21 + } + BB21 { + _40 <- Borrow.borrow_mut l2; + l2 <- ^ _40; + _39 <- ([#"../src/lib.rs" 551 4 551 19] PushBack0.push_back _40 ([#"../src/lib.rs" 551 17 551 18] (4 : int32))); + _40 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB22 + } + BB22 { + _42 <- Borrow.borrow_mut l3; + l3 <- ^ _42; + _41 <- ([#"../src/lib.rs" 552 4 552 19] PushBack0.push_back _42 ([#"../src/lib.rs" 552 17 552 18] (4 : int32))); + _42 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB23 + } + BB23 { + _44 <- Borrow.borrow_mut l4; + l4 <- ^ _44; + _43 <- ([#"../src/lib.rs" 553 4 553 19] PushBack0.push_back _44 ([#"../src/lib.rs" 553 17 553 18] (4 : int32))); + _44 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB24 + } + BB24 { + _46 <- Borrow.borrow_mut l1; + l1 <- ^ _46; + _45 <- ([#"../src/lib.rs" 555 4 555 19] PushBack0.push_back _46 ([#"../src/lib.rs" 555 17 555 18] (5 : int32))); + _46 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB25 + } + BB25 { + _48 <- Borrow.borrow_mut l2; + l2 <- ^ _48; + _47 <- ([#"../src/lib.rs" 556 4 556 19] PushBack0.push_back _48 ([#"../src/lib.rs" 556 17 556 18] (5 : int32))); + _48 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB26 + } + BB26 { + _50 <- Borrow.borrow_mut l3; + l3 <- ^ _50; + _49 <- ([#"../src/lib.rs" 557 4 557 19] PushBack0.push_back _50 ([#"../src/lib.rs" 557 17 557 18] (5 : int32))); + _50 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB27 + } + BB27 { + _52 <- Borrow.borrow_mut l4; + l4 <- ^ _52; + _51 <- ([#"../src/lib.rs" 558 4 558 19] PushBack0.push_back _52 ([#"../src/lib.rs" 558 17 558 18] (5 : int32))); + _52 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB28 + } + BB28 { + _54 <- Borrow.borrow_mut l1; + l1 <- ^ _54; + _53 <- ([#"../src/lib.rs" 560 4 560 19] PushBack0.push_back _54 ([#"../src/lib.rs" 560 17 560 18] (6 : int32))); + _54 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB29 + } + BB29 { + _56 <- Borrow.borrow_mut l2; + l2 <- ^ _56; + _55 <- ([#"../src/lib.rs" 561 4 561 19] PushBack0.push_back _56 ([#"../src/lib.rs" 561 17 561 18] (6 : int32))); + _56 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB30 + } + BB30 { + _58 <- Borrow.borrow_mut l3; + l3 <- ^ _58; + _57 <- ([#"../src/lib.rs" 562 4 562 19] PushBack0.push_back _58 ([#"../src/lib.rs" 562 17 562 18] (6 : int32))); + _58 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB31 + } + BB31 { + _60 <- Borrow.borrow_mut l4; + l4 <- ^ _60; + _59 <- ([#"../src/lib.rs" 563 4 563 19] PushBack0.push_back _60 ([#"../src/lib.rs" 563 17 563 18] (6 : int32))); + _60 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB32 + } + BB32 { + _62 <- Borrow.borrow_mut l1; + l1 <- ^ _62; + _61 <- ([#"../src/lib.rs" 565 4 565 19] PushBack0.push_back _62 ([#"../src/lib.rs" 565 17 565 18] (7 : int32))); + _62 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB33 + } + BB33 { + _64 <- Borrow.borrow_mut l2; + l2 <- ^ _64; + _63 <- ([#"../src/lib.rs" 566 4 566 19] PushBack0.push_back _64 ([#"../src/lib.rs" 566 17 566 18] (7 : int32))); + _64 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB34 + } + BB34 { + _66 <- Borrow.borrow_mut l3; + l3 <- ^ _66; + _65 <- ([#"../src/lib.rs" 567 4 567 19] PushBack0.push_back _66 ([#"../src/lib.rs" 567 17 567 18] (7 : int32))); + _66 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB35 + } + BB35 { + _68 <- Borrow.borrow_mut l4; + l4 <- ^ _68; + _67 <- ([#"../src/lib.rs" 568 4 568 19] PushBack0.push_back _68 ([#"../src/lib.rs" 568 17 568 18] (7 : int32))); + _68 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB36 + } + BB36 { + _70 <- Borrow.borrow_mut l1; + l1 <- ^ _70; + _69 <- ([#"../src/lib.rs" 570 4 570 19] PushBack0.push_back _70 ([#"../src/lib.rs" 570 17 570 18] (8 : int32))); + _70 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB37 + } + BB37 { + _72 <- Borrow.borrow_mut l2; + l2 <- ^ _72; + _71 <- ([#"../src/lib.rs" 571 4 571 19] PushBack0.push_back _72 ([#"../src/lib.rs" 571 17 571 18] (8 : int32))); + _72 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB38 + } + BB38 { + _74 <- Borrow.borrow_mut l3; + l3 <- ^ _74; + _73 <- ([#"../src/lib.rs" 572 4 572 19] PushBack0.push_back _74 ([#"../src/lib.rs" 572 17 572 18] (8 : int32))); + _74 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB39 + } + BB39 { + _76 <- Borrow.borrow_mut l4; + l4 <- ^ _76; + _75 <- ([#"../src/lib.rs" 573 4 573 19] PushBack0.push_back _76 ([#"../src/lib.rs" 573 17 573 18] (8 : int32))); + _76 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB40 + } + BB40 { + _78 <- Borrow.borrow_mut l1; + l1 <- ^ _78; + _77 <- ([#"../src/lib.rs" 575 4 575 19] PushBack0.push_back _78 ([#"../src/lib.rs" 575 17 575 18] (9 : int32))); + _78 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB41 + } + BB41 { + _80 <- Borrow.borrow_mut l2; + l2 <- ^ _80; + _79 <- ([#"../src/lib.rs" 576 4 576 19] PushBack0.push_back _80 ([#"../src/lib.rs" 576 17 576 18] (9 : int32))); + _80 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB42 + } + BB42 { + _82 <- Borrow.borrow_mut l3; + l3 <- ^ _82; + _81 <- ([#"../src/lib.rs" 577 4 577 19] PushBack0.push_back _82 ([#"../src/lib.rs" 577 17 577 18] (9 : int32))); + _82 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB43 + } + BB43 { + _84 <- Borrow.borrow_mut l4; + l4 <- ^ _84; + _83 <- ([#"../src/lib.rs" 578 4 578 19] PushBack0.push_back _84 ([#"../src/lib.rs" 578 17 578 18] (9 : int32))); + _84 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB44 + } + BB44 { + _86 <- Borrow.borrow_mut l1; + l1 <- ^ _86; + _85 <- ([#"../src/lib.rs" 580 4 580 20] PushBack0.push_back _86 ([#"../src/lib.rs" 580 17 580 19] (10 : int32))); + _86 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB45 + } + BB45 { + _88 <- Borrow.borrow_mut l2; + l2 <- ^ _88; + _87 <- ([#"../src/lib.rs" 581 4 581 20] PushBack0.push_back _88 ([#"../src/lib.rs" 581 17 581 19] (10 : int32))); + _88 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB46 + } + BB46 { + _90 <- Borrow.borrow_mut l3; + l3 <- ^ _90; + _89 <- ([#"../src/lib.rs" 582 4 582 20] PushBack0.push_back _90 ([#"../src/lib.rs" 582 17 582 19] (10 : int32))); + _90 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB47 + } + BB47 { + _92 <- Borrow.borrow_mut l4; + l4 <- ^ _92; + _91 <- ([#"../src/lib.rs" 583 4 583 20] PushBack0.push_back _92 ([#"../src/lib.rs" 583 17 583 19] (10 : int32))); + _92 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB48 + } + BB48 { + _94 <- Borrow.borrow_mut l1; + l1 <- ^ _94; + _93 <- ([#"../src/lib.rs" 585 4 585 20] PushBack0.push_back _94 ([#"../src/lib.rs" 585 17 585 19] (11 : int32))); + _94 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB49 + } + BB49 { + _96 <- Borrow.borrow_mut l2; + l2 <- ^ _96; + _95 <- ([#"../src/lib.rs" 586 4 586 20] PushBack0.push_back _96 ([#"../src/lib.rs" 586 17 586 19] (11 : int32))); + _96 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB50 + } + BB50 { + _98 <- Borrow.borrow_mut l3; + l3 <- ^ _98; + _97 <- ([#"../src/lib.rs" 587 4 587 20] PushBack0.push_back _98 ([#"../src/lib.rs" 587 17 587 19] (11 : int32))); + _98 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB51 + } + BB51 { + _100 <- Borrow.borrow_mut l4; + l4 <- ^ _100; + _99 <- ([#"../src/lib.rs" 588 4 588 20] PushBack0.push_back _100 ([#"../src/lib.rs" 588 17 588 19] (11 : int32))); + _100 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB52 + } + BB52 { + _102 <- Borrow.borrow_mut l1; + l1 <- ^ _102; + _101 <- ([#"../src/lib.rs" 590 4 590 20] PushBack0.push_back _102 ([#"../src/lib.rs" 590 17 590 19] (12 : int32))); + _102 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB53 + } + BB53 { + _104 <- Borrow.borrow_mut l2; + l2 <- ^ _104; + _103 <- ([#"../src/lib.rs" 591 4 591 20] PushBack0.push_back _104 ([#"../src/lib.rs" 591 17 591 19] (12 : int32))); + _104 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB54 + } + BB54 { + _106 <- Borrow.borrow_mut l3; + l3 <- ^ _106; + _105 <- ([#"../src/lib.rs" 592 4 592 20] PushBack0.push_back _106 ([#"../src/lib.rs" 592 17 592 19] (12 : int32))); + _106 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB55 + } + BB55 { + _108 <- Borrow.borrow_mut l4; + l4 <- ^ _108; + _107 <- ([#"../src/lib.rs" 593 4 593 20] PushBack0.push_back _108 ([#"../src/lib.rs" 593 17 593 19] (12 : int32))); + _108 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB56 + } + BB56 { + _110 <- Borrow.borrow_mut l1; + l1 <- ^ _110; + _109 <- ([#"../src/lib.rs" 595 4 595 20] PushBack0.push_back _110 ([#"../src/lib.rs" 595 17 595 19] (13 : int32))); + _110 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB57 + } + BB57 { + _112 <- Borrow.borrow_mut l2; + l2 <- ^ _112; + _111 <- ([#"../src/lib.rs" 596 4 596 20] PushBack0.push_back _112 ([#"../src/lib.rs" 596 17 596 19] (13 : int32))); + _112 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB58 + } + BB58 { + _114 <- Borrow.borrow_mut l3; + l3 <- ^ _114; + _113 <- ([#"../src/lib.rs" 597 4 597 20] PushBack0.push_back _114 ([#"../src/lib.rs" 597 17 597 19] (13 : int32))); + _114 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB59 + } + BB59 { + _116 <- Borrow.borrow_mut l4; + l4 <- ^ _116; + _115 <- ([#"../src/lib.rs" 598 4 598 20] PushBack0.push_back _116 ([#"../src/lib.rs" 598 17 598 19] (13 : int32))); + _116 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB60 + } + BB60 { + _118 <- Borrow.borrow_mut l1; + l1 <- ^ _118; + _117 <- ([#"../src/lib.rs" 600 4 600 20] PushBack0.push_back _118 ([#"../src/lib.rs" 600 17 600 19] (14 : int32))); + _118 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB61 + } + BB61 { + _120 <- Borrow.borrow_mut l2; + l2 <- ^ _120; + _119 <- ([#"../src/lib.rs" 601 4 601 20] PushBack0.push_back _120 ([#"../src/lib.rs" 601 17 601 19] (14 : int32))); + _120 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB62 + } + BB62 { + _122 <- Borrow.borrow_mut l3; + l3 <- ^ _122; + _121 <- ([#"../src/lib.rs" 602 4 602 20] PushBack0.push_back _122 ([#"../src/lib.rs" 602 17 602 19] (14 : int32))); + _122 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB63 + } + BB63 { + _124 <- Borrow.borrow_mut l4; + l4 <- ^ _124; + _123 <- ([#"../src/lib.rs" 603 4 603 20] PushBack0.push_back _124 ([#"../src/lib.rs" 603 17 603 19] (14 : int32))); + _124 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB64 + } + BB64 { + _126 <- Borrow.borrow_mut l1; + l1 <- ^ _126; + _125 <- ([#"../src/lib.rs" 605 4 605 20] PushBack0.push_back _126 ([#"../src/lib.rs" 605 17 605 19] (15 : int32))); + _126 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB65 + } + BB65 { + _128 <- Borrow.borrow_mut l2; + l2 <- ^ _128; + _127 <- ([#"../src/lib.rs" 606 4 606 20] PushBack0.push_back _128 ([#"../src/lib.rs" 606 17 606 19] (15 : int32))); + _128 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB66 + } + BB66 { + _130 <- Borrow.borrow_mut l3; + l3 <- ^ _130; + _129 <- ([#"../src/lib.rs" 607 4 607 20] PushBack0.push_back _130 ([#"../src/lib.rs" 607 17 607 19] (15 : int32))); + _130 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB67 + } + BB67 { + _132 <- Borrow.borrow_mut l4; + l4 <- ^ _132; + _131 <- ([#"../src/lib.rs" 608 4 608 20] PushBack0.push_back _132 ([#"../src/lib.rs" 608 17 608 19] (15 : int32))); + _132 <- any borrowed (CargoDir_LinkedList_LinkedList_Type.t_linkedlist int32); + goto BB68 + } + BB68 { + _0 <- (); + return _0 + } + +end diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-16/why3session.xml b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-16/why3session.xml new file mode 100644 index 0000000..b0835e6 --- /dev/null +++ b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-16/why3session.xml @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-16/why3shapes.gz b/milli/doubly-linked-list/creusot-sessions/linked-list-repeat-16/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..62a8f7c15969ab4c8b3416155a0b6fea7a604885 GIT binary patch literal 3542 zcmV;{4Jq;;iwFP!00000|J_Z8y+|O3K{p_iIegry?-R|k><>(V%-ta7fXatII|M-vHlW$+PKlbf2FpZ?k z_d{a%5Ew|9{p)V)apBXq_WRoZ0J)=7EPXyiMrv^bOWJO?JwnH!1r=>JyC08FyWVda z({5ijo5#)W%esSI|F(be4^b+!m;)y}8h-#nZQt+Hx2--#^A;f3FLw>49SKXe!0PdN z@4vU3-R|4V^H_#4YBWAMUUlJk#bR(Dy(kuK28*`2DM2r23qg75fN(OUxH;%;{nPXD zUkzm)Xz&g^bj)gtMWsvyQ#`&310?Qbv78&BdQIFh_W8hb>g z+|g8iW+2-Z5IHp~K(+`-r6ZyiMYE#k%qm-AGAowOhg~(RTH=P+W+l+9MrOw+W+g9} z6<-WiqjFOX7DfjP(}RUEw6JW0v>>}d6Nzm&c^)_2e)Erq^}l_OCn=J$M%@p|tVCtE zaI z7UmtsM(E6&Q-cdrJ8@7(P8^hx%MQv&bWqc9Q8^eF?P0zBvhl~=wqavGg@Y69{b9HH?y-G`^w7m75#n>hOj6cl zG-R`Xfq5L>+;sBMRzd=az$WtHGo7 z;JIdSTw7V>kie13(J76=VC>ys%sdG->P~SM@gRG*7`$7IurWZrtkIFm|2G(*xuM4} za0UFq>nqfTkXzuNvf%b105Ce9GYJ7Od_D#M>I{nA`==fFECZ^1&}#h5h!a&(&s?KA zz@Yz@8Xc{*5|>w6sn;e=u$)}65<SxaA}@Qcr;f zXv8A`Fi9zU$P98q z8lQXM59bM;F`Mt(BVaGW)TpEV0$Yz_V4jTlJb%lihx_=a%~><-Lqqu2A^X<)YW9s& z=k3pT9fhf2ffE{_-_nygwjZFs14RLK^G50frULb(Ns8SOk3uVTvkU9*;O}<1+wXTj zeE$<*%qYxh$fbFsfu?L%>utMf6#F=y0)K#%Vn~W&8hLnG9{lewe%twrva8?$uj~(a z75PC5GEc}FTB%!9*SK3804d01Luf2YH_9|h<$cJHgBb;05^o;rG**4Y0m%Nu$1H#n zC&3ELS?Wt+S^{qlGvYd6Ceoer@nwtXdw#{oPqk9M`nFG+M%PDy(cfYLP5Hi|^? z;?|`&dxTP8lB^r4K1MO6I=P?)h=G2VA?kPXHlk28aq12CNWo1PGyW zGOy;j5qw{ibVSHT@J5I+Kw$a?Oe$9wi-+151!;sn^+k@oKf~Xz*{LAO55>gG1LZSb z&aoFLzv|%w<&cpT4;K-v!NUcam)65IUk}5ehpB7SDQy7PhRXoC(NG|pJ!dGKA?C_A z`+5M<82GO3HDt((gtwK~o8t9m>h)Xy$1!-lL9aLGyk5&jivZMdN1BhlUUOV}CPPK9 z57@_w*Xz?1HTbl;AgK>VE60Wo;d9Bx;%x>HeGU8ESPE>euv`EI;b zg z&(D6_UoK&dD_HcTgjL1H98Obg%#|TI6s)S^R;*AB7({uELGU$X=_y_fI24LjIW?y_ z1k;FCi2uij5$O@UQB|Hsret$rGL5L*Gd!D&R@}zQRCz~9VP*Vya%mf334Y5Qdo_v> zpHW8X749G=QZ$x9DTcCG9HkQVwJ25kEIXeH%S-9<`Q`96=S0&Zs0FUh;_8>1s&dK6)FjxcN*VRWtyvrK3dgr+NQbAd?X;#fGID39d?oW^o_C?Tm_Syo|l zc2R9b=B>yq0j4dVL+HFsmCDcIWN%9d9vZoHh|^PLdLoTT(lDAT)Ty=|=<)CuT?{m^ zIL{b1<8&JGlQf-_*EX~r6OD0dJ7!`#CcV~$-RNvPgH1&%mbDejD^@HgR{S0djCb|4 zYT|0q5kivra0Gk@c1}!d^h1J+|huLv*rMUE$SKhdJ zM{2ogy~i~OUgKkd)cBPF^~!G@*!W_?Pi`jp0YMKp0aLyAkt)TdSFb3em(}pjT(VIa zwltr<%EFZCHAP&iV6#R2Od;!M3RPv-V3lc);Zn0=My2F-P2k`LIX z0y4PAuMw>CL!1qMdk-w**@okK#7G<54Y2UEKe%W|(_uCFl`oMAU{aNF!>Ubm>a%pt zQJH`t4;6{{ij^jZ0`*X}&gGY?mttz1?k;v7i`YZ?iP@p5$r_&O8?gmbr)3Ouy-<}= zq0F5MGg!vJkyw$zTYRX3!;SH*&N%1{OB$S?rC+6@A&=oKBjkh=Lr(alQ0gMge7aiL zpl7nG`eZ`8d)e<3`QcXb>hUew&B5oxiBB&@v5aTMrk52AVlBi-c9(Qtpw$2 zRO*=@7xVjA-h`8vqOQy(NC~ZZX$4r5^&5o{15UC=^88RGi_j7uHssmUlE4(m<}#fy zi_sYg3_>t`(Hey5Vki@5txd?v8iWWH&}|74MVlgRzOX$h^%-W^d9@q)1$lQm2sVn=FY5nUtAIGCqByu1lg$Bsn>K z6Hnj798V=lLateC!GvF6$*Cmc81LQW(hkvEMCk|dB_Xj@WSI4fl*lIYPrBzz9P;wV2)U2ku0I=>{Ww|dzbh+a#f zc-OYt>y@{Hce0xa#~pLjk(-sVwqJU>^d02dRB@@hez{btrJZcmaz?46#93#YcFM`L zjGEpqjiqKK2$d_g>if3qmQ)JE4WnYlm}As2;;41hII100j!H*`qukL*rDKF>Wn|ZP z3UWB!Dk3^*l<7OKnN%}D9Jh`e$F<|iap^dS&K+ltQ^$#8)-mIlc1$@2!U@MX5Vn2= z`-i)e=#^)jfQ@xZ^UfH~mW-@sia2SVG)`(KVO!Ek;UssGIZ2%)PFN?56WR&ogmgkU z!JS}E(4qq)4N+{#jVF@pm0pRSs-8(IDYuN;nPN`S|B(q@8nf(H#Cx*pIb&VlLgb+x z>}{!xU(K|3S~)G97EW`gnbXv1;*@pDIHiNGlyXWsC4!a|uZ~fHGOX%b(n|(P@+-B} z5;z#!ncjFaGu#>G3=JgU7{LsP)7EKINHDRYg!!fSzU`C{%1dD>1#{xMWuDE9bVghy z(KE$5ZI`OEORamkn)QY-=YBwJFxA}h^lOL(tm zlzKDM0OqsOYOPx6g*4z49LPn QLeupB0J$58m$EJZ0DZyPfB*mh literal 0 HcmV?d00001 diff --git a/milli/doubly-linked-list/creusot.rs b/milli/doubly-linked-list/creusot.rs new file mode 100644 index 0000000..ded1b61 --- /dev/null +++ b/milli/doubly-linked-list/creusot.rs @@ -0,0 +1,536 @@ + +// !!MAIN!!PRE_BEGIN!! + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} +// !!MAIN!!PRE_END!! + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + l1.push_back(1); + l1.push_back(0); + // proof_assert!(l1@.len() == 2); + let _ = l1.pop_back(); + // proof_assert!(l1@.len() == 1); + } + +} \ No newline at end of file diff --git a/milli/doubly-linked-list/dafny.dfy b/milli/doubly-linked-list/dafny.dfy new file mode 100644 index 0000000..f90f08e --- /dev/null +++ b/milli/doubly-linked-list/dafny.dfy @@ -0,0 +1,377 @@ +// !!MAIN!!PRE_BEGIN!! +module NativeTypes { +ghost const maxUInt64 := 0x1_0000_0000_0000_0000 +newtype{:nativeType "ulong"} uint64 = i:int | 0 <= i < maxUInt64 +} + +// https://github.com/secure-foundations/everquic-dafny/blob/master/src/PrivateDLL.dfy + +module Seqs { + function last(s:seq) : T + requires |s| > 0 + { + s[|s|-1] + } + + function all_but_last(s:seq) : seq + requires |s| > 0 + { + s[..|s|-1] + } + + function reverse(s:seq) : seq + ensures |reverse(s)| == |s| + { + if s == [] then [] + else reverse(s[1..]) + [s[0]] + } +} + +module DoublyLinkedList { + import opened Seqs + + export DoublyLinkedList + provides Seqs + provides Node + provides DoublyLinkedList + provides DoublyLinkedList.Vals, DoublyLinkedList.Repr + provides DoublyLinkedList.Valid + provides DoublyLinkedList._ctor, DoublyLinkedList.IsEmpty + provides DoublyLinkedList.RemoveHead, DoublyLinkedList.RemoveTail + provides DoublyLinkedList.InsertHead, DoublyLinkedList.InsertTail + provides DoublyLinkedList.PeekHead, DoublyLinkedList.PeekTail + provides DoublyLinkedList.Clear + provides Node.payload + provides DllIterator + provides DllIterator._ctor + provides DllIterator.Valid, DllIterator.d, DllIterator.GetIndex + provides DllIterator.GetVal, DllIterator.MoveNext + reveals DoublyLinkedList + reveals Node + reveals DllIterator + + class Node { + var L: Node? + var R: Node? + var payload:T + constructor (p:T) + ensures payload == p + { + payload := p; + } + } + + lemma find_index(Nodes: seq>, Repr: set>, x:Node) returns (k:nat) + requires forall i :: 0 <= i < |Nodes| ==> Nodes[i] in Repr + requires |Nodes| == |Repr| + requires x in Repr + requires forall i,j :: 0 <= i < j < |Nodes| ==> Nodes[i] != Nodes[j] + ensures 0 <= k < |Nodes| && Nodes[k] == x + { + if Nodes[0] == x { + k := 0; + } else { + var rest_seq := Nodes[1..]; + var rest_set := Repr - {Nodes[0]}; + var k' := find_index(Nodes[1..], Repr - {Nodes[0]}, x); + k := 1 + k'; + } + } + + lemma exists_index(Nodes: seq>, Repr: set>, x:Node) + requires forall i :: 0 <= i < |Nodes| ==> Nodes[i] in Repr + requires |Nodes| == |Repr| + requires x in Repr + requires forall i,j :: 0 <= i < j < |Nodes| ==> Nodes[i] != Nodes[j] + ensures exists k :: 0 <= k < |Nodes| && Nodes[k] == x + { + ghost var k := find_index(Nodes, Repr, x); + } + + class DoublyLinkedList { + ghost var Nodes: seq> // sequence of nodes in the linked list + ghost var Repr: set> // (redundant) representation of the list's footprint + ghost var Vals: seq + var head:Node? + var tail:Node? + + // Valid() says that the data structure is a proper doubly linked list + ghost predicate Valid() + reads this, Repr + { + (forall i :: 0 <= i < |Nodes| ==> Nodes[i] in Repr) && + |Nodes| == |Repr| && + (|Nodes| == 0 <==> head == tail == null) && + (|Nodes| > 0 ==> + head == Nodes[0] && tail == last(Nodes) && + Nodes[0].L == null && last(Nodes).R == null && + (forall i {:trigger Nodes[i].L} :: 1 <= i < |Nodes| ==> Nodes[i].L == Nodes[i-1]) && + (forall i {:trigger Nodes[i].R} :: 0 <= i < |Nodes|-1 ==> Nodes[i].R == Nodes[i+1]) + ) && + (forall i,j :: 0 <= i < j < |Nodes| ==> Nodes[i] != Nodes[j]) && // this is actually a consequence of the previous conditions + |Nodes| == |Vals| && + (forall i :: 0 <= i < |Nodes| ==> Nodes[i].payload == Vals[i]) + } + + constructor() + ensures Valid() + ensures Vals == [] + ensures fresh(Repr) + { + Nodes := []; + Repr := {}; + Vals := []; + head := null; + tail := null; + } + + method IsEmpty() returns (b:bool) + requires Valid() + ensures b <==> (|Vals| == 0) + { + b := (head == null && tail == null); + } + + // Internal method -- tends to be a bit flaky + method Remove(x: Node) returns (ghost k: int) + requires Valid() + requires x in Repr + modifies this, Repr + ensures Valid() + ensures 0 <= k < |old(Nodes)| && x == old(Nodes)[k] + ensures Nodes == old(Nodes)[..k] + old(Nodes)[k+1..] + ensures Vals == old(Vals)[..k] + old(Vals)[k+1..] + ensures x.L == old(x.L) && x.R == old(x.R) && x.payload == old(x.payload) + ensures Repr == old(Repr) - {x} + //ensures forall n :: n in old(Repr) ==> n.payload == old(n.payload) + { + //k :| 0 <= k < |Nodes| && Nodes[k] == x; + k := find_index(Nodes, Repr, x); + if (x.L == null && x.R == null) { + Nodes := []; + Repr := Repr - {x}; + head := null; + tail := null; + Vals := []; + } else if (x.L == null) { + assert k == 0; + x.R.L := null; + head := x.R; + Nodes := Nodes[1..]; + Repr := Repr - {x}; + Vals := Vals[1..]; + } else if (x.R == null) { + assert k == |Nodes| - 1; + x.L.R := null; + tail := x.L; + Nodes := Nodes[..|Nodes|-1]; + assert old(Nodes)[k+1..] == []; + Repr := Repr - {x}; + Vals := Vals[..|Vals|-1]; + assert old(Vals)[k+1..] == []; + } else { + x.R.L := x.L; + x.L.R := x.R; + Nodes := Nodes[..k] + Nodes[k+1..]; + Repr := Repr - {x}; + Vals := Vals[0..k] + Vals[k+1..]; + assert Vals == old(Vals)[..k] + old(Vals)[k+1..]; + } + } + + method RemoveHead() returns (h:T) + requires Valid() + requires |Vals| != 0 + modifies this, Repr + ensures Valid() + ensures h == old(Vals)[0] + ensures Vals == old(Vals)[1..] + ensures forall o :: o in Repr ==> o in old(Repr) + { + h := head.payload; + ghost var k := Remove(head); + } + + method RemoveTail() returns (t:T) + requires Valid() + requires |Vals| != 0 + modifies this, Repr + ensures Valid() + ensures t == last(old(Vals)) + ensures Vals == all_but_last(old(Vals)) + ensures forall o :: o in Repr ==> o in old(Repr) + { + t := tail.payload; + ghost var k := Remove(tail); + } + + method InsertHead(v:T) + requires Valid() + modifies this, Repr + ensures Valid() + ensures Vals == [v] + old(Vals) + ensures forall o :: o in Repr ==> o in old(Repr) || fresh(o) + { + var x := new Node(v); + if head == null { + head := x; + tail := x; + x.L := null; + x.R := null; + Nodes := [x]; + Repr := {x}; + } else { + x.R := head; + x.L := null; + head.L := x; + head := x; + Nodes := [x] + old(Nodes); + Repr := {x} + old(Repr); + } + Vals := [v] + Vals; + } + + method InsertTail(v:T) + requires Valid() + modifies this, Repr + ensures Valid() + ensures Vals == old(Vals) + [v] + ensures forall o :: o in Repr ==> o in old(Repr) || fresh(o) + { + var x := new Node(v); + if tail == null { + head := x; + tail := x; + x.L := null; + x.R := null; + Nodes := [x]; + Repr := {x}; + } else { + x.L := tail; + x.R := null; + tail.R := x; + tail := x; + Nodes := old(Nodes) + [x]; + Repr := old(Repr) + {x}; + } + Vals := Vals + [v]; + } + + method PeekHead() returns (v:T) + requires Valid() + requires |Vals| != 0 + ensures v == Vals[0] + { + v := head.payload; + } + + method PeekTail() returns (v:T) + requires Valid() + requires |Vals| != 0 + ensures v == last(Vals) + { + v := tail.payload; + } + + method Clear() + requires Valid() + modifies this, Repr + ensures Valid() + { + Repr := {}; + Nodes := []; + Vals := []; + head := null; + tail := null; + } + } + + class DllIterator { + var ptr:Node? + ghost var index:nat + var d:DoublyLinkedList + + ghost predicate Valid() + reads this, d, d.Repr + { + && d.Valid() + && 0 <= index < |d.Nodes| + && ptr == d.Nodes[index] + } + + ghost function GetIndex() : nat + reads this + { + index + } + + constructor (d':DoublyLinkedList) + requires d'.Valid() + requires |d'.Vals| > 0 + ensures Valid() + ensures d == d' + ensures GetIndex() == 0 + { + d := d'; + ptr := d'.head; + index := 0; + } + + method GetVal() returns (v:T) + requires Valid() + ensures 0 <= GetIndex() < |d.Vals| && d.Vals[GetIndex()] == v + { + return ptr.payload; + } + + method MoveNext() returns (good:bool) + requires Valid() + modifies this + ensures good ==> Valid() + ensures GetIndex() == old(GetIndex()) + 1 + ensures !good <==> GetIndex() == |d.Vals| + ensures d == old(d) + { + ptr := ptr.R; + index := index + 1; + if ptr != null { + good := true; + } else { + good := false; + } + } + } + +} +// !!MAIN!!PRE_END!! + +module Main{ + import opened DoublyLinkedList + + method Main() { + var l := new DoublyLinkedList(); + l.InsertTail(2); + l.InsertTail(3); + l.InsertHead(1); // 1, 2, 3 + + var it := new DllIterator(l); + var v1 := it.GetVal(); + assert(v1 == 1); + var _ := it.MoveNext(); + var v2 := it.GetVal(); + assert(v2 == 2); + var _ := it.MoveNext(); + var v3 := it.GetVal(); + assert(v3 == 3); + var g := it.MoveNext(); + assert(!g); + + var x := l.RemoveTail(); + var y := l.RemoveHead(); + var z := l.RemoveHead(); + + assert(x == 3); + assert(y == 1); + assert(z == 2); + } +} diff --git a/milli/doubly-linked-list/explib.py b/milli/doubly-linked-list/explib.py new file mode 100644 index 0000000..8216e52 --- /dev/null +++ b/milli/doubly-linked-list/explib.py @@ -0,0 +1,35 @@ +import time +import os +import subprocess +import sys + +SAMPLES = 2 + +REPEAT_OUT_PATH = "repeat-out" + +def run_command(cmd, filenames, success_text, my_env, timeout=None): + start_time = time.time() + try: + result = subprocess.run(cmd + filenames, capture_output = True, env=my_env, timeout=timeout) + # print(result) + except subprocess.TimeoutExpired: + return None + end_time = time.time() + if (not success_text in result.stdout) and (not success_text in result.stderr): + print(result.stdout, file=sys.stderr) + print(result.stderr[:100], file=sys.stderr) + return None + elapsed_time = end_time - start_time + return elapsed_time + +def write_file(tool, suffix, code): + out_filename = REPEAT_OUT_PATH + "/" + f"{tool}{suffix}" + with open(out_filename, "w") as f: + f.write(code) + f.flush() + return out_filename + +def run_command_on_code(tool, suffix, code, cmd, success_text, my_env, timeout=None): + out_filename = write_file(tool, suffix, code) + elapsed_time = run_command(cmd, [out_filename], success_text, my_env, timeout=timeout) + return elapsed_time diff --git a/milli/doubly-linked-list/oneshot.py b/milli/doubly-linked-list/oneshot.py new file mode 100644 index 0000000..e35520f --- /dev/null +++ b/milli/doubly-linked-list/oneshot.py @@ -0,0 +1,57 @@ +import os +import tempfile +import subprocess +import sys +import shutil +import statistics + +PRUSTI_CACHE = 1 +CARGO_CREUSOT = 2 +PRUSTI_ENV = 4 + +COMMANDS = { + "dafny": ([os.environ.get('EVAL_DAFNY_EXE'), "verify", "--cores", "1"], []), + "verus": ([os.environ.get('EVAL_VERUS_EXE'), "--num-threads", "1"], []), + "prusti": ([os.environ.get('EVAL_PRUSTI_EXE'), "--edition=2018"], [PRUSTI_ENV]), + "fstarlowstar": ([os.environ.get('EVAL_FSTARLOWSTAR_EXE'), + "--include", os.environ.get('EVAL_FSTARLOWSTAR_KRML'), "--cache_dir", os.environ.get('EVAL_FSTARLOWSTAR_KRML_OBJ')], []), + "creusot": ([os.environ.get('EVAL_CREUSOT_EXE'),], [CARGO_CREUSOT]), +} + +from explib import * + +def collect(tool, filenames, suffix, success_text): + cmd, opt = COMMANDS[tool] + my_env = os.environ.copy() + if PRUSTI_CACHE in opt: + sys.exit(-1) + if PRUSTI_ENV in opt: + my_env["DEFAULT_PRUSTI_SERVER_MAX_CONCURRENCY"] = "1" + + times = [] + for r in range(SAMPLES): + if CARGO_CREUSOT in opt: + elapsed_time = run_command(cmd, ['creusot-sessions/doubly-linked-list-oneshot'], success_text, my_env) + else: + elapsed_time = run_command(cmd, filenames, success_text, my_env) + if elapsed_time is None: + times.append(float('inf')) + break + else: + times.append(elapsed_time) + + print(f"{tool},{r},{elapsed_time}", file=sys.stderr) + + tool = tool.capitalize() + result = statistics.median(times) + # print(f"{tool},{elapsed_time}") + tool = tool.capitalize() + print(f"\\newcommand{{\\evalDoublyLinkedList{tool}}}{{{result:.2f}}}") + print(f"> \\newcommand{{\\evalDoublyLinkedList{tool}}}{{{result:.2f}}}", file=sys.stderr) + +if __name__ == "__main__": + collect("dafny", ["dafny.dfy"], ".dfy", b'0 errors') + collect("verus", ["verus.rs"], ".rs", b'0 errors') + # collect("prusti", "prusti.rs", ".rs", b'Successful verification') + collect("fstarlowstar", ["Fstarlowstar.fst", "FstarlowstarIface.fst", "FstarlowstarIface.fsti"], ".fst", b'All verification conditions discharged successfully') + collect("creusot", "creusot.rs", ".rs", b'replay OK') diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-01.rs b/milli/doubly-linked-list/repeat-creusot/creusot-01.rs new file mode 100644 index 0000000..bb220c9 --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-01.rs @@ -0,0 +1,536 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-02.rs b/milli/doubly-linked-list/repeat-creusot/creusot-02.rs new file mode 100644 index 0000000..383993f --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-02.rs @@ -0,0 +1,541 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-03.rs b/milli/doubly-linked-list/repeat-creusot/creusot-03.rs new file mode 100644 index 0000000..0fdd234 --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-03.rs @@ -0,0 +1,546 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-04.rs b/milli/doubly-linked-list/repeat-creusot/creusot-04.rs new file mode 100644 index 0000000..1ce0ef3 --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-04.rs @@ -0,0 +1,551 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-05.rs b/milli/doubly-linked-list/repeat-creusot/creusot-05.rs new file mode 100644 index 0000000..f313e76 --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-05.rs @@ -0,0 +1,556 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-06.rs b/milli/doubly-linked-list/repeat-creusot/creusot-06.rs new file mode 100644 index 0000000..14ee82d --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-06.rs @@ -0,0 +1,561 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + l1.push_back(5); + l2.push_back(5); + l3.push_back(5); + l4.push_back(5); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-07.rs b/milli/doubly-linked-list/repeat-creusot/creusot-07.rs new file mode 100644 index 0000000..91704eb --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-07.rs @@ -0,0 +1,566 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + l1.push_back(5); + l2.push_back(5); + l3.push_back(5); + l4.push_back(5); + + l1.push_back(6); + l2.push_back(6); + l3.push_back(6); + l4.push_back(6); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-08.rs b/milli/doubly-linked-list/repeat-creusot/creusot-08.rs new file mode 100644 index 0000000..bb38269 --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-08.rs @@ -0,0 +1,571 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + l1.push_back(5); + l2.push_back(5); + l3.push_back(5); + l4.push_back(5); + + l1.push_back(6); + l2.push_back(6); + l3.push_back(6); + l4.push_back(6); + + l1.push_back(7); + l2.push_back(7); + l3.push_back(7); + l4.push_back(7); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-09.rs b/milli/doubly-linked-list/repeat-creusot/creusot-09.rs new file mode 100644 index 0000000..778f924 --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-09.rs @@ -0,0 +1,576 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + l1.push_back(5); + l2.push_back(5); + l3.push_back(5); + l4.push_back(5); + + l1.push_back(6); + l2.push_back(6); + l3.push_back(6); + l4.push_back(6); + + l1.push_back(7); + l2.push_back(7); + l3.push_back(7); + l4.push_back(7); + + l1.push_back(8); + l2.push_back(8); + l3.push_back(8); + l4.push_back(8); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-10.rs b/milli/doubly-linked-list/repeat-creusot/creusot-10.rs new file mode 100644 index 0000000..77e35b7 --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-10.rs @@ -0,0 +1,581 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + l1.push_back(5); + l2.push_back(5); + l3.push_back(5); + l4.push_back(5); + + l1.push_back(6); + l2.push_back(6); + l3.push_back(6); + l4.push_back(6); + + l1.push_back(7); + l2.push_back(7); + l3.push_back(7); + l4.push_back(7); + + l1.push_back(8); + l2.push_back(8); + l3.push_back(8); + l4.push_back(8); + + l1.push_back(9); + l2.push_back(9); + l3.push_back(9); + l4.push_back(9); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-11.rs b/milli/doubly-linked-list/repeat-creusot/creusot-11.rs new file mode 100644 index 0000000..ad36238 --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-11.rs @@ -0,0 +1,586 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + l1.push_back(5); + l2.push_back(5); + l3.push_back(5); + l4.push_back(5); + + l1.push_back(6); + l2.push_back(6); + l3.push_back(6); + l4.push_back(6); + + l1.push_back(7); + l2.push_back(7); + l3.push_back(7); + l4.push_back(7); + + l1.push_back(8); + l2.push_back(8); + l3.push_back(8); + l4.push_back(8); + + l1.push_back(9); + l2.push_back(9); + l3.push_back(9); + l4.push_back(9); + + l1.push_back(10); + l2.push_back(10); + l3.push_back(10); + l4.push_back(10); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-12.rs b/milli/doubly-linked-list/repeat-creusot/creusot-12.rs new file mode 100644 index 0000000..91f093c --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-12.rs @@ -0,0 +1,591 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + l1.push_back(5); + l2.push_back(5); + l3.push_back(5); + l4.push_back(5); + + l1.push_back(6); + l2.push_back(6); + l3.push_back(6); + l4.push_back(6); + + l1.push_back(7); + l2.push_back(7); + l3.push_back(7); + l4.push_back(7); + + l1.push_back(8); + l2.push_back(8); + l3.push_back(8); + l4.push_back(8); + + l1.push_back(9); + l2.push_back(9); + l3.push_back(9); + l4.push_back(9); + + l1.push_back(10); + l2.push_back(10); + l3.push_back(10); + l4.push_back(10); + + l1.push_back(11); + l2.push_back(11); + l3.push_back(11); + l4.push_back(11); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-13.rs b/milli/doubly-linked-list/repeat-creusot/creusot-13.rs new file mode 100644 index 0000000..6323c4f --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-13.rs @@ -0,0 +1,596 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + l1.push_back(5); + l2.push_back(5); + l3.push_back(5); + l4.push_back(5); + + l1.push_back(6); + l2.push_back(6); + l3.push_back(6); + l4.push_back(6); + + l1.push_back(7); + l2.push_back(7); + l3.push_back(7); + l4.push_back(7); + + l1.push_back(8); + l2.push_back(8); + l3.push_back(8); + l4.push_back(8); + + l1.push_back(9); + l2.push_back(9); + l3.push_back(9); + l4.push_back(9); + + l1.push_back(10); + l2.push_back(10); + l3.push_back(10); + l4.push_back(10); + + l1.push_back(11); + l2.push_back(11); + l3.push_back(11); + l4.push_back(11); + + l1.push_back(12); + l2.push_back(12); + l3.push_back(12); + l4.push_back(12); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-14.rs b/milli/doubly-linked-list/repeat-creusot/creusot-14.rs new file mode 100644 index 0000000..1f9bd36 --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-14.rs @@ -0,0 +1,601 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + l1.push_back(5); + l2.push_back(5); + l3.push_back(5); + l4.push_back(5); + + l1.push_back(6); + l2.push_back(6); + l3.push_back(6); + l4.push_back(6); + + l1.push_back(7); + l2.push_back(7); + l3.push_back(7); + l4.push_back(7); + + l1.push_back(8); + l2.push_back(8); + l3.push_back(8); + l4.push_back(8); + + l1.push_back(9); + l2.push_back(9); + l3.push_back(9); + l4.push_back(9); + + l1.push_back(10); + l2.push_back(10); + l3.push_back(10); + l4.push_back(10); + + l1.push_back(11); + l2.push_back(11); + l3.push_back(11); + l4.push_back(11); + + l1.push_back(12); + l2.push_back(12); + l3.push_back(12); + l4.push_back(12); + + l1.push_back(13); + l2.push_back(13); + l3.push_back(13); + l4.push_back(13); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-15.rs b/milli/doubly-linked-list/repeat-creusot/creusot-15.rs new file mode 100644 index 0000000..489db1c --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-15.rs @@ -0,0 +1,606 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + l1.push_back(5); + l2.push_back(5); + l3.push_back(5); + l4.push_back(5); + + l1.push_back(6); + l2.push_back(6); + l3.push_back(6); + l4.push_back(6); + + l1.push_back(7); + l2.push_back(7); + l3.push_back(7); + l4.push_back(7); + + l1.push_back(8); + l2.push_back(8); + l3.push_back(8); + l4.push_back(8); + + l1.push_back(9); + l2.push_back(9); + l3.push_back(9); + l4.push_back(9); + + l1.push_back(10); + l2.push_back(10); + l3.push_back(10); + l4.push_back(10); + + l1.push_back(11); + l2.push_back(11); + l3.push_back(11); + l4.push_back(11); + + l1.push_back(12); + l2.push_back(12); + l3.push_back(12); + l4.push_back(12); + + l1.push_back(13); + l2.push_back(13); + l3.push_back(13); + l4.push_back(13); + + l1.push_back(14); + l2.push_back(14); + l3.push_back(14); + l4.push_back(14); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat-creusot/creusot-16.rs b/milli/doubly-linked-list/repeat-creusot/creusot-16.rs new file mode 100644 index 0000000..43f0ae0 --- /dev/null +++ b/milli/doubly-linked-list/repeat-creusot/creusot-16.rs @@ -0,0 +1,611 @@ + +mod lemmas { + use creusot_contracts::logic::{FMap, Int, Mapping, Seq}; + use creusot_contracts::*; + + // #[law] + // #[open(self)] + // #[ensures(x.set(k, v1).set(k, v2) == x.set(k, v2))] + // pub fn map_set_overwrite(x: Mapping, k: K, v1: V, v2: V) {} + + #[law] + #[open(self)] + #[requires(k1 != k2)] + #[ensures(x.set(k1, v1).set(k2, v2) == x.set(k2, v2).set(k1, v1))] + pub fn map_set_commute(x: Mapping, k1: K, k2: K, v1: V, v2: V) {} + + // #[law] + // #[open(self)] + // #[requires(x.get(k) == v)] + // #[ensures(x.set(k, v) == x)] + // pub fn map_set_id(x: Mapping, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[ensures(x1.union(x2) == x2.union(x1))] + // pub fn union_commute(x1: FMap, x2: FMap) { + // proof_assert!(x1.union(x2).ext_eq(x2.union(x1))); + // } + + // #[law] + // #[open(self)] + // #[requires(x1.disjoint(x2))] + // #[requires(x1.contains(k))] + // #[ensures(x1.union(x2).remove(k).ext_eq(x1.remove(k).union(x2)))] + // pub fn union_remove(x1: FMap, x2: FMap, k: K) {} + + // #[law] + // #[open(self)] + // #[requires(x1.insert(k,v).disjoint(x2))] + // #[ensures(x1.union(x2).insert(k, v).ext_eq(x1.insert(k, v).union(x2)))] + // pub fn union_insert(x1: FMap, x2: FMap, k: K, v: V) {} + + // #[law] + // #[open(self)] + // #[ensures(FMap::empty().union(x).ext_eq(x))] + // pub fn union_empty(x: FMap) {} + + // #[logic] + // #[open(self)] + // #[ensures(s.subsequence(0, s.len()) == s)] + // pub fn subseq_full(s: Seq) { + // s.subsequence(0, s.len()).ext_eq(s); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i < s.len())] + // #[ensures(s.subsequence(i, i+1) == Seq::singleton(s[i]))] + // pub fn subseq_singleton(s: Seq, i: Int) { + // s.subsequence(i, i + 1).ext_eq(Seq::singleton(s[i])); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= k && k <= s.len())] + // #[ensures(s.subsequence(i, j).concat(s.subsequence(j, k)) == s.subsequence(i, k))] + // pub fn concat_subseq(s: Seq, i: Int, j: Int, k: Int) { + // s.subsequence(i, k) + // .ext_eq(s.subsequence(i, j).concat(s.subsequence(j, k))); + // } + + // #[logic] + // #[open(self)] + // #[ensures(s1.concat(s2).subsequence(0, s1.len()) == s1)] + // #[ensures(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len()) == s2)] + // pub fn subseq_concat(s1: Seq, s2: Seq) { + // s1.ext_eq(s1.concat(s2).subsequence(0, s1.len())); + // s2.ext_eq(s1.concat(s2).subsequence(s1.len(), s1.len() + s2.len())); + // } + + // #[logic] + // #[open(self)] + // #[requires(0 <= i && i <= j && j <= s.len() && 0 <= k && k <= l && i + l <= j)] + // #[ensures(s.subsequence(i, j).subsequence(k, l) == s.subsequence(i + k, i + l))] + // pub fn subseq_subseq(s: Seq, i: Int, j: Int, k: Int, l: Int) { + // s.subsequence(i + k, i + l) + // .ext_eq(s.subsequence(i, j).subsequence(k, l)); + // } +} + +mod linked_list { + use super::lemmas::*; + + use ::std::ptr; + use creusot_contracts::__stubs::fin; + use creusot_contracts::ghost_ptr::{GhostPtrExt, GhostPtrToken}; + use creusot_contracts::logic::FMap; + use creusot_contracts::*; + + struct Node { + data: T, + next: *const Node, + prev: *const Node, + } + + /// Is there a linked list segment from ptr to other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(ptr))] + // fn lseg_forward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(ptr) { + // None => false, + // Some(node) => lseg_forward(node.next, other, token.remove(ptr)), + // } + // } + // } + // + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_forward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(ptr) { + // None => Seq::EMPTY, + // Some(node) => { + // Seq::singleton(node.data).concat(lseg_forward_seq(node.next, other, token.remove(ptr))) + // } + // } + // } + // } + + // // ptr <-- other + // #[predicate] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == (token == FMap::empty()))] + // #[ensures(result && ptr != other ==> token.contains(other))] + // fn lseg_backward( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> bool { + // if ptr == other { + // token == FMap::empty() + // } else { + // match token.get(other) { + // None => false, + // Some(node) => lseg_backward(ptr, node.prev, token.remove(other)), + // } + // } + // } + // + // // ptr <-- other + // #[ghost] + // #[variant(token.len())] + // #[ensures(ptr == other ==> result == Seq::EMPTY)] + // fn lseg_backward_seq( + // ptr: *const Node, + // other: *const Node, + // token: FMap<*const Node, Node>, + // ) -> Seq { + // if ptr == other { + // Seq::EMPTY + // } else { + // match token.get(other) { + // None => Seq::EMPTY, + // Some(node) => { + // lseg_backward_seq(ptr, node.prev, token.remove(other)).concat(Seq::singleton(node.data)) + // } + // } + // } + // } + + /// Lemma for concatenating 2 segments + // #[logic] + // #[variant(token12.len())] + // #[requires(token12.disjoint(token23))] + // #[requires(lseg_forward(ptr1, ptr2, token12))] + // #[requires(lseg_forward(ptr2, ptr3, token23))] + // #[requires(!token12.contains(ptr3))] + // #[ensures(result)] + // #[ensures(lseg_forward(ptr1, ptr3, token12.union(token23)))] + // #[ensures(lseg_forward_seq(ptr1, ptr3, token12.union(token23)).ext_eq(lseg_forward_seq(ptr1, ptr2, token12).concat(lseg_forward_seq(ptr2, ptr3, token23))))] + // fn lseg_trans( + // ptr1: *const Node, + // ptr2: *const Node, + // ptr3: *const Node, + // token12: FMap<*const Node, Node>, + // token23: FMap<*const Node, Node>, + // ) -> bool { + // union_remove::<*const Node, Node>; + // union_empty::<*const Node, Node>; + // if ptr1 != ptr2 { + // let next = token12.lookup(ptr1).next; + // lseg_trans(next, ptr2, ptr3, token12.remove(ptr1), token23) + // } else { + // true + // } + // } + + pub struct LinkedList { + head: *const Node, + tail: *const Node, + ptrs: Ghost>>, + token: GhostPtrToken>, + } + + impl LinkedList { + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn prev_of(self, i: Int) -> *const Node { + if i == 0 { + <*const Node>::null_logic() + } else { + self.ptrs[i - 1] + } + } + + #[logic] + #[open(self)] + #[requires(i >= 0)] + fn next_of(self, i: Int) -> *const Node { + if i + 1 == self.ptrs.len() { + <*const Node>::null_logic() + } else { + self.ptrs[i + 1] + } + } + + #[predicate] + #[open(self)] + #[requires(i >= 0 && i < self.ptrs.len())] + fn wf_token(self, i: Int) -> bool { + self.token.shallow_model().contains(self.ptrs[i]) + && self.token.shallow_model().lookup(self.ptrs[i]).prev == self.prev_of(i) + && self.token.shallow_model().lookup(self.ptrs[i]).next == self.next_of(i) + } + + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + (forall (0 <= i && i < self.ptrs.len()) ==> self.wf_token(i)) + && if self.ptrs.len() == 0 { + self.head == <*const Node>::null_logic() && + self.tail == <*const Node>::null_logic() + } else { + self.head == self.ptrs[0] + && self.tail == self.ptrs[self.ptrs.len() - 1] + } + } + } + + #[ghost] + #[open(self)] + pub fn model(self) -> Seq { + pearlite! { + Seq::new((*self.ptrs).len(), + |i| self.token.shallow_model().lookup(self.ptrs[i]).data) + } + // if self.head == <*const Node>::null_logic() { + // Seq::EMPTY + // } else { + // lseg_forward_seq( + // self.head, + // self.tail, + // self.token.shallow_model().remove(self.tail), + // ) + // .concat(Seq::singleton( + // self.token.shallow_model().lookup(self.tail).data, + // )) + // } + } + + #[ensures(result.invariant())] + #[ensures(result.model() == Seq::EMPTY)] + pub fn new() -> Self { + let this = LinkedList { + head: ptr::null(), + tail: ptr::null(), + ptrs: gh!(Seq::EMPTY), + token: GhostPtrToken::new(), + }; + proof_assert!(this.model().ext_eq(Seq::EMPTY)); + this + } + + #[ensures(result.invariant())] + #[ensures(result.model().ext_eq(Seq::singleton(v)))] + pub fn singleton(v: T) -> Self { + // map_set_commute::<*const Node, Option>>; + let mut token = GhostPtrToken::new(); + let node = Node { + data: v, + next: ptr::null(), + prev: ptr::null(), + }; + let ptr = token.ptr_from_box(Box::new(node)); + LinkedList { + head: ptr, + tail: ptr, + ptrs: gh!(Seq::singleton(ptr)), + token, + } + } + + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures(Seq::singleton(result).concat((^self).model()).ext_eq((*self).model()))] + pub fn pop_front(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.head.is_null() { + unreachable!(); + } else { + proof_assert!(self.head == self.ptrs[0]); + proof_assert!(self.ptrs.len() > 0); + proof_assert!(self.token.shallow_model().contains(self.ptrs[0])); + let node = self.token.ptr_to_box(self.head); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[0]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.head = node.next; + if self.head.is_null() { + self.tail = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(1)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[1])); + proof_assert!(self.head == self.ptrs[1]); + let new_head = self.token.ptr_as_mut(self.head); + new_head.prev = ptr::null(); + self.ptrs = gh!(self.ptrs.subsequence(1, self.ptrs.len())); + proof_assert!(forall (0 <= i && i < self.ptrs.len() && self_ghost_old.wf_token(i + 1)) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < self.ptrs.len()) ==> self.wf_token(i)); + } + // proof_assert!(self.model().ext_eq(self_ghost_old.model().subsequence(1, self_ghost_old.model().len()))); + proof_assert!(node.data == self_ghost_old.model()[0]); + node.data + } + } + + #[requires((*self).invariant())] + #[requires((*self).model().len() > 0)] + #[ensures((^self).invariant())] + #[ensures((^self).model().concat(Seq::singleton(result)).ext_eq((*self).model()))] + pub fn pop_back(&mut self) -> T { + let self_ghost_old = gh!(*self); + map_set_commute::<*const Node, Option>>; + if self.tail.is_null() { + unreachable!(); + } else { + let node = self.token.ptr_to_box(self.tail); + proof_assert!(forall (self_ghost_old.token.shallow_model().contains(i) && i != self.ptrs[self.ptrs.len() - 1]) ==> self.token.shallow_model().contains(i)); + proof_assert!(forall (0 <= i && i < self.ptrs.len() - 1) ==> self.token.shallow_model().contains(self.ptrs[i])); + self.tail = node.prev; + if self.tail.is_null() { + self.head = ptr::null(); + } else { + proof_assert!(self.ptrs.len() > 1); + proof_assert!(self.token.shallow_model().subset(self_ghost_old.token.shallow_model())); + proof_assert!(self.wf_token(self.ptrs.len() - 2)); + proof_assert!(self.token.shallow_model().contains(self.ptrs[self.ptrs.len() - 2])); + proof_assert!(self.tail == self.ptrs[self.ptrs.len() - 2]); + let new_tail = self.token.ptr_as_mut(self.tail); + new_tail.next = ptr::null(); + } + self.ptrs = gh!(self.ptrs.subsequence(0, self.ptrs.len() - 1)); + proof_assert!(forall (0 <= i && i < self.ptrs.len()) ==> self_ghost_old.wf_token(i) ==> self.wf_token(i)); + node.data + } + } + + #[requires((*self).invariant())] + #[requires(other.invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(other.model())))] + pub fn append(&mut self, mut other: Self) { + let old_self = gh!(self); + let old_other = gh!(other); + if self.head.is_null() { + *self = other + } else if !other.head.is_null() { + let tail = self.token.ptr_as_mut(self.tail); + tail.next = other.head; + let head = other.token.ptr_as_mut(other.head); + head.prev = self.tail; + + self.token.merge(other.token); + self.tail = other.tail; + self.ptrs = gh!(self.ptrs.concat(*other.ptrs)); + proof_assert!(forall, Node>, b: _> a.disjoint(b) ==> a.subset(a.union(b))); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> + old_self.token.shallow_model().lookup(old_self.ptrs[i]) == + self.token.shallow_model().lookup(old_self.ptrs[i])); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> + old_other.token.shallow_model().lookup(old_other.ptrs[i]) == + self.token.shallow_model().lookup(old_other.ptrs[i])); + proof_assert!(self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev == + old_self.token.shallow_model().lookup(old_self.ptrs[old_self.ptrs.len() - 1]).prev); + proof_assert!(self.token.shallow_model().lookup(old_other.ptrs[0]).next == + old_other.token.shallow_model().lookup(old_other.ptrs[0]).next); + proof_assert!(self.wf_token(old_self.ptrs.len() - 1)); + proof_assert!(self.wf_token(old_self.ptrs.len())); + + proof_assert!(forall (0 <= i && i < old_self.ptrs.len() - 1) ==> old_self.wf_token(i) ==> self.wf_token(i)); + proof_assert!(forall (1 <= i && i < old_other.ptrs.len()) ==> old_other.wf_token(i) ==> self.wf_token(i + old_self.ptrs.len())); + } + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq((*self).model().concat(Seq::singleton(val))))] + pub fn push_back(&mut self, val: T) { + self.append(Self::singleton(val)) + } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures((^self).model().ext_eq(Seq::singleton(val).concat((*self).model())))] + pub fn push_front(&mut self, val: T) { + let mut this = Self::singleton(val); + std::mem::swap(self, &mut this); + self.append(this); + } + + #[requires((*self).invariant())] + #[requires(self.ptrs.len() > 0)] + #[ensures(result.invariant())] + // #[ensures(*result.index == 0)] + // #[ensures(result.model() == self.model())] + pub fn iter(&self) -> Iter<'_, T> { + Iter { + l: &self, + curr: self.head, + index: gh!(0), + } + } + } + + pub struct Iter<'a, T> { + pub l: &'a LinkedList, + curr: *const Node, + pub index: Ghost, + } + + impl<'a, T> Iter<'a, T> { + #[predicate] + #[open(self)] + pub fn invariant(self) -> bool { + pearlite! { + if self.curr != <*const Node>::null_logic() { + self.l.invariant() + && *self.index < self.l.model().len() + && self.curr == self.l.ptrs[*self.index] + && self.l.ptrs.len() > 0 + && *self.index >= 0 + } else { + true + } + } + } + + // #[ghost] + // #[open(self)] + // pub fn model(self) -> Seq { + // LinkedList { + // head: self.curr, + // tail: *self.tail, + // token: *self.token, + // ptrs: self.ptrs, + // } + // .model() + // } + + #[requires((*self).invariant())] + #[ensures((^self).invariant())] + #[ensures(match result { + Some(val) => *val == self.l.model()[*self.index], + None => true, + })] + #[ensures(match result { + Some(val) => *(^self).index == *(*self).index + 1, + None => true, + })] + pub fn next(&mut self) -> Option<&'a T> { + map_set_commute::<*const Node, Option>>; + if self.curr.is_null() { + return None; + } + + proof_assert!(self.l.wf_token(*self.index)); + let node = self.l.token.ptr_as_ref(self.curr); + self.curr = node.next; + self.index = gh!(*self.index + 1); + Some(&node.data) + } + } +} + +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + + l1.push_back(0); + l2.push_back(0); + l3.push_back(0); + l4.push_back(0); + + l1.push_back(1); + l2.push_back(1); + l3.push_back(1); + l4.push_back(1); + + l1.push_back(2); + l2.push_back(2); + l3.push_back(2); + l4.push_back(2); + + l1.push_back(3); + l2.push_back(3); + l3.push_back(3); + l4.push_back(3); + + l1.push_back(4); + l2.push_back(4); + l3.push_back(4); + l4.push_back(4); + + l1.push_back(5); + l2.push_back(5); + l3.push_back(5); + l4.push_back(5); + + l1.push_back(6); + l2.push_back(6); + l3.push_back(6); + l4.push_back(6); + + l1.push_back(7); + l2.push_back(7); + l3.push_back(7); + l4.push_back(7); + + l1.push_back(8); + l2.push_back(8); + l3.push_back(8); + l4.push_back(8); + + l1.push_back(9); + l2.push_back(9); + l3.push_back(9); + l4.push_back(9); + + l1.push_back(10); + l2.push_back(10); + l3.push_back(10); + l4.push_back(10); + + l1.push_back(11); + l2.push_back(11); + l3.push_back(11); + l4.push_back(11); + + l1.push_back(12); + l2.push_back(12); + l3.push_back(12); + l4.push_back(12); + + l1.push_back(13); + l2.push_back(13); + l3.push_back(13); + l4.push_back(13); + + l1.push_back(14); + l2.push_back(14); + l3.push_back(14); + l4.push_back(14); + + l1.push_back(15); + l2.push_back(15); + l3.push_back(15); + l4.push_back(15); + + } +} \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat.FstarlowstarMain.fst.py b/milli/doubly-linked-list/repeat.FstarlowstarMain.fst.py new file mode 100644 index 0000000..9380757 --- /dev/null +++ b/milli/doubly-linked-list/repeat.FstarlowstarMain.fst.py @@ -0,0 +1,56 @@ +def main_code(n): + num_lists = 4 + + prefix = """ +module FstarlowstarMain +open LowStar.BufferOps + +module DLL = FstarlowstarIface + +module B = LowStar.Buffer +module HS = FStar.HyperStack +module HST = FStar.HyperStack.ST +module G = FStar.Ghost +module L = FStar.List.Tot +module U32 = FStar.UInt32 +module MO = LowStar.Modifies + +open FStar.HyperStack.ST + +// A lower rlimit works, but give it more so that we can test scaling +#push-options "--z3rlimit 1000 --fuel 0 --ifuel 0" + +val main2: unit -> ST (Prims.unit) (fun _ -> true) (fun _ _ _ -> true) + +let main2 () = + HST.push_frame (); +""" + dlists = "\n".join( + [ + f" let d{i} : DLL.dll UInt32.t = DLL.dll_new () in" + for i in range(1, num_lists + 1) + ] + ) + nodes = "\n".join( + [ + f" let n{i}_{j} = DLL.node_of {j}ul in" + for i in range(1, num_lists + 1) + for j in range(n) + ] + ) + inserts = "\n".join( + [ + f" DLL.dll_insert_at_tail d{i} n{i}_{j};" + for i in range(1, num_lists + 1) + for j in range(n) + ] + ) + suffix = """ + HST.pop_frame () +""" + + return (prefix + dlists + "\n" + nodes + "\n" + inserts + suffix).strip() + + +if __name__ == "__main__": + print(main_code(2)) diff --git a/milli/doubly-linked-list/repeat.creusot.rs.py b/milli/doubly-linked-list/repeat.creusot.rs.py new file mode 100644 index 0000000..a834bd0 --- /dev/null +++ b/milli/doubly-linked-list/repeat.creusot.rs.py @@ -0,0 +1,22 @@ +def main_code(n): + p = lambda i: """ + l1.push_back({i}); + l2.push_back({i}); + l3.push_back({i}); + l4.push_back({i}); + """.format(i=i) + return (""" +mod main { + use creusot_contracts::*; + use super::linked_list::LinkedList; + + fn main() { + let mut l1 = LinkedList::new(); + let mut l2 = LinkedList::new(); + let mut l3 = LinkedList::new(); + let mut l4 = LinkedList::new(); + """ + + "".join(p(i) for i in range(n)) + """ + } +}""" + ) \ No newline at end of file diff --git a/milli/doubly-linked-list/repeat.dafny.dfy.py b/milli/doubly-linked-list/repeat.dafny.dfy.py new file mode 100644 index 0000000..c1fc25d --- /dev/null +++ b/milli/doubly-linked-list/repeat.dafny.dfy.py @@ -0,0 +1,22 @@ +def main_code(n): + p = lambda i: """ + l1.InsertTail({i}); + l2.InsertTail({i}); + l3.InsertTail({i}); + l4.InsertTail({i}); + """.format(i=i) + return (""" +module Main{ + import opened DoublyLinkedList + + method Main() { + var l1 := new DoublyLinkedList(); + var l2 := new DoublyLinkedList(); + var l3 := new DoublyLinkedList(); + var l4 := new DoublyLinkedList(); + """ + + "".join(p(i) for i in range(n)) + """ + } +} +""" + ) diff --git a/milli/doubly-linked-list/repeat.py b/milli/doubly-linked-list/repeat.py new file mode 100644 index 0000000..fda4679 --- /dev/null +++ b/milli/doubly-linked-list/repeat.py @@ -0,0 +1,107 @@ +import os +import tempfile +import subprocess +import sys +import shutil +import statistics + +PRUSTI_CACHE = 1 +CARGO_CREUSOT = 2 +PRUSTI_ENV = 4 +FSTAR_MODULES = 8 + +COMMANDS = { + "dafny": ([os.environ.get('EVAL_DAFNY_EXE'), "verify", "--cores", "1", "--boogie-filter", "*Main*"], []), + "verus": ([os.environ.get('EVAL_VERUS_EXE'), "--num-threads", "1", "--verify-module=main", "--crate-type=lib"], []), + "Fstarlowstar": ([os.environ.get('EVAL_FSTARLOWSTAR_EXE'), + "--include", os.environ.get('EVAL_FSTARLOWSTAR_KRML'), "--cache_dir", os.environ.get('EVAL_FSTARLOWSTAR_KRML')], [FSTAR_MODULES]), + "creusot": ([os.environ.get('EVAL_CREUSOT_EXE'),], [CARGO_CREUSOT]), +} + +from explib import * + +REPEAT_OUT_PATH = "repeat-out" + +def load_module(filename): + import importlib.util + spec = importlib.util.spec_from_file_location("m", filename) + module = importlib.util.module_from_spec(spec) + spec.loader.exec_module(module) + return module + +def read_code(filename): + with open(filename, "r") as f: + return f.read() + +def extract_code(filename, begin_marker, end_marker): + with open(filename, "r") as f: + lines = f.readlines() + start = next(i for i, line in enumerate(lines) if begin_marker in line) + end = next(i for i, line in enumerate(lines) if end_marker in line) + return "".join(lines[start+1:end]) + +def extract_pre(filename): + pre_code = extract_code(filename, "!!MAIN!!PRE_BEGIN!!", "!!MAIN!!PRE_END!!") + return pre_code + +def collect(tool, filename, suffix, success_text): + m = load_module("repeat." + filename + ".py") + pre_code = "" + + cmd, opt = COMMANDS[tool] + if FSTAR_MODULES in opt: + name1 = filename.replace('Main', '') + name2 = name1.replace('.fst', 'Iface.fst') + name3 = name1.replace('.fst', 'Iface.fsti') + for nn in [name1, name2, name3]: + shutil.copy(nn, REPEAT_OUT_PATH + '/' + nn) + else: + pre_code = extract_pre(filename) + my_env = os.environ.copy() + + out_filename = REPEAT_OUT_PATH + "/" + f"{tool}{suffix}" + + for i in range(1, 16 + 1): + main_code = m.main_code(i) + code = pre_code + main_code + + code = code.replace('// !!SCRIPT!!TRUSTED!! ', '') + # print(code) + + times = [] + for r in range(SAMPLES): + if CARGO_CREUSOT in opt: + elapsed_time = run_command(cmd, [f"creusot-sessions/linked-list-repeat-{i:02}"], success_text, my_env, timeout=100) + elif FSTAR_MODULES in opt: + out_filename = REPEAT_OUT_PATH + '/FstarlowstarMain.fst' + with open(out_filename, 'w') as f: + f.write(code) + f.flush() + elapsed_time = run_command(cmd, [out_filename], success_text, my_env, timeout=100) + else: + elapsed_time = run_command_on_code(tool, suffix, code, cmd, success_text, my_env, timeout=100) + + print(f"{i},{r},{tool},{elapsed_time}", file=sys.stderr) + # print(elapsed_time) + if elapsed_time is None: + times.append(float('inf')) + break + else: + times.append(elapsed_time) + + ptool = tool.capitalize() + result = statistics.median(times) + print(f"{i},{ptool},{result}") + print(f"> {i},{ptool},{result}", file=sys.stderr) + if result == float('inf'): + break + +if __name__ == "__main__": + if os.path.exists(REPEAT_OUT_PATH): + shutil.rmtree(REPEAT_OUT_PATH) + os.mkdir(REPEAT_OUT_PATH) + + collect("creusot", "creusot.rs", ".rs", b'replay OK') + collect("dafny", "dafny.dfy", ".dfy", b'0 errors') + collect("verus", "verus.rs", ".rs", b'0 errors') + collect("Fstarlowstar", "FstarlowstarMain.fst", ".fst", b'All verification conditions discharged successfully') diff --git a/milli/doubly-linked-list/repeat.verus.rs.py b/milli/doubly-linked-list/repeat.verus.rs.py new file mode 100644 index 0000000..a7a33be --- /dev/null +++ b/milli/doubly-linked-list/repeat.verus.rs.py @@ -0,0 +1,23 @@ +def main_code(n): + p = lambda i: """ + l1.push_front({i}); + l2.push_front({i}); + l3.push_front({i}); + l4.push_front({i}); + """.format(i=i) + return (""" +verus! { +mod main { +use vstd::prelude::*; +use super::doubly_linked_list::{DoublyLinkedList, Iterator}; +pub fn run() { + let mut l1 = DoublyLinkedList::::new(); + let mut l2 = DoublyLinkedList::::new(); + let mut l3 = DoublyLinkedList::::new(); + let mut l4 = DoublyLinkedList::::new(); + """ + + "".join(p(i) for i in range(n)) + """ +} +} +}""" + ) diff --git a/milli/doubly-linked-list/verus.rs b/milli/doubly-linked-list/verus.rs new file mode 100644 index 0000000..91910f6 --- /dev/null +++ b/milli/doubly-linked-list/verus.rs @@ -0,0 +1,508 @@ +// !!MAIN!!PRE_BEGIN!! +// #![allow(unused_imports)] + +use vstd::prelude::*; + +// use builtin_macros::*; +// mod pervasive; +// use pervasive::*; +// use crate::pervasive::{ptr_old_style::*}; +// use crate::pervasive::{seq::*}; +// use crate::pervasive::{seq_lib::*}; +// use crate::pervasive::{map::*}; +// use crate::pervasive::{modes::*}; +// use crate::pervasive::option::*; + +// use crate::pervasive::option::Option::Some; +// use crate::pervasive::option::Option::None; + +verus! { + +mod doubly_linked_list { +use vstd::prelude::*; +use vstd::ptr::{PPtr, PointsTo, Dealloc}; +use vstd::assert_by_contradiction; + +// Single node in the list + +struct Node { + prev: Option>>, + next: Option>>, + value: V, +} + +type MemPerms = (PointsTo>, Dealloc>); + +// Doubly-linked list +// Contains head pointer, tail pointer +// and in ghost code, tracks all the pointers and all the permissions to access the nodes + +pub struct DoublyLinkedList { + ptrs: Ghost>>>, + perms: Tracked>>, + + head: Option>>, + tail: Option>>, +} + +impl DoublyLinkedList { + spec fn prev_of(&self, i: nat) -> Option>> { + if i == 0 { + None + } else { + Some(self.ptrs@[i as int - 1]) + } + } + + spec fn next_of(&self, i: nat) -> Option>> { + if i + 1 == self.ptrs@.len() { + None + } else { + Some(self.ptrs@[i as int + 1]) + } + } + + spec fn wf_perm(&self, i: nat) -> bool { + &&& self.perms@.dom().contains(i) + &&& self.perms@[i].0@.pptr == self.ptrs@[i as int].id() + &&& self.perms@[i].1@.pptr == self.ptrs@[i as int].id() + &&& match self.perms@[i].0@.value { + Some(node) => node.prev == self.prev_of(i) + && node.next == self.next_of(i), + None => false, + } + } + + pub closed spec fn well_formed(&self) -> bool { + &&& forall|i: nat| 0 <= i && i < self.ptrs@.len() ==> self.wf_perm(i) + &&& if self.ptrs@.len() == 0 { + self.head == None::>> && self.tail == None::>> + } else { + &&& self.head == Some(self.ptrs@[0]) + &&& self.tail == Some(self.ptrs@[self.ptrs@.len() as int - 1]) + } + } + + pub closed spec fn view(&self) -> Seq + // recommends self.well_formed(), + { + Seq::::new(self.ptrs@.len(), |i: int| { + self.perms@[i as nat].0@.value.get_Some_0().value + }) + } + + pub fn new() -> (s: Self) + ensures s.well_formed(), s@.len() == 0, + { + DoublyLinkedList { + ptrs: Ghost(Seq::empty()), + perms: Tracked(Map::tracked_empty()), + head: None, + tail: None, + } + } + + fn push_empty_case(&mut self, v: V) + requires old(self).well_formed(), old(self).ptrs@.len() == 0, + ensures self.well_formed(), self@ == old(self)@.push(v), + { + + let (ptr, Tracked(perm), Tracked(dealloc)) = PPtr::new( + Node:: { prev: None, next: None, value: v } + ); + + proof { + self.ptrs@ = self.ptrs@.push(ptr); + self.perms.borrow_mut().tracked_insert((self.ptrs@.len() - 1) as nat, (perm, dealloc)); + } + + self.tail = Some(ptr.clone()); + self.head = Some(ptr); + + assert(self.view() =~= old(self).view().push(v)); + } + + pub fn push_back(&mut self, v: V) + requires old(self).well_formed(), + ensures self.well_formed(), self@ == old(self)@.push(v), + { + match &self.tail { + None => { + // Special case: list is empty + + proof { + assert_by_contradiction!(self.ptrs@.len() == 0, { + assert(self.wf_perm((self.ptrs@.len() - 1) as nat)); + }); + } + + self.push_empty_case(v); + } + Some(tail_ptr) => { + assert(self.ptrs@.len() > 0); + assert(self.wf_perm((self.ptrs@.len() - 1) as nat)); + + let tracked (mut tail_perm, tail_dealloc) = //: PermData> = + self.perms.borrow_mut().tracked_remove((self.ptrs@.len() - 1) as nat); + let mut tail_node = tail_ptr.take(Tracked(&mut tail_perm)); + let second_to_last_ptr = tail_node.prev; + + let (ptr, Tracked(perm), Tracked(dealloc)) = PPtr::new( + Node:: { prev: Some(tail_ptr.clone()), next: None, value: v } + ); + + tail_node.prev = second_to_last_ptr; + tail_node.next = Some(ptr.clone()); + tail_ptr.put(Tracked(&mut tail_perm), tail_node); + proof { + self.perms.borrow_mut().tracked_insert((self.ptrs@.len() - 1) as nat, (tail_perm, tail_dealloc)); + self.perms.borrow_mut().tracked_insert(self.ptrs@.len(), (perm, dealloc)); + self.ptrs@ = self.ptrs@.push(ptr); + } + self.tail = Some(ptr); + + let ghost i = (self.ptrs@.len() - 2) as nat; + let ghost prev_of_i = self.prev_of(i); + + assert(self.wf_perm((self.ptrs@.len() - 2) as nat)); + assert(self.wf_perm((self.ptrs@.len() - 1) as nat)); + assert(forall|i: nat| i < self.ptrs@.len() && old(self).wf_perm(i) ==> self.wf_perm(i)); + + assert(self.view().index(self.ptrs@.len() as int - 1) == v); + assert forall|i: int| 0 <= i && i < self.ptrs@.len() as int - 1 implies old(self)@[i] == self@[i] by { + assert(old(self).wf_perm(i as nat)); // trigger + } + assert(self@ =~= old(self)@.push(v)); + } + } + } + + pub fn pop_back(&mut self) -> (v: V) + requires old(self).well_formed(), old(self)@.len() > 0, + ensures self.well_formed(), + self@ == old(self)@.drop_last(), + v == old(self)@[old(self)@.len() as int - 1], + { + assert(self.wf_perm((self.ptrs@.len() - 1) as nat)); + + let last_ptr = self.tail.unwrap().clone(); + + let tracked (last_perm, last_dealloc) = self.perms.borrow_mut().tracked_remove((self.ptrs@.len() - 1) as nat); + let last_node = last_ptr.into_inner(Tracked(last_perm), Tracked(last_dealloc)); + + let v = last_node.value; + + match &last_node.prev { + None => { + self.tail = None; + self.head = None; + + proof { + assert_by_contradiction!(self.ptrs@.len() == 1, { + assert(old(self).wf_perm((self.ptrs@.len() - 2) as nat)); + let actual_penult_u64 = self.prev_of((self.ptrs@.len() - 1) as nat); + }); + } + } + Some(penult_ptr) => { + self.tail = Some(penult_ptr.clone()); + + assert(old(self)@.len() != 1); + assert(old(self)@.len() >= 2); + assert(old(self).wf_perm((self.ptrs@.len() - 2) as nat)); + + let ghost actual_penult_u64 = self.prev_of((self.ptrs@.len() - 1) as nat); + + let tracked (mut penult_perm, penult_dealloc) = self.perms.borrow_mut().tracked_remove((self.ptrs@.len() - 2) as nat); + let mut penult_node = penult_ptr.take(Tracked(&mut penult_perm)); + + penult_node.next = None; + + penult_ptr.put(Tracked(&mut penult_perm), penult_node); + proof { + self.perms.borrow_mut().tracked_insert((self.ptrs@.len() - 2) as nat, (penult_perm, penult_dealloc)); + } + } + } + + proof { + self.ptrs@ = self.ptrs@.drop_last(); + + if self.ptrs@.len() > 0 { + assert(self.wf_perm((self.ptrs@.len() - 1) as nat)); + } + } + + assert(forall|i: nat| i < self@.len() && old(self).wf_perm(i) ==> self.wf_perm(i)); + + assert forall|i: int| 0 <= i && i < self@.len() + implies #[trigger] self@[i] == old(self)@.drop_last()[i] by { + assert(old(self).wf_perm(i as nat)); // trigger + } + + assert(self@ =~= old(self)@.drop_last()); + + v + } + + pub fn pop_front(&mut self) -> (v: V) + requires old(self).well_formed(), old(self).view().len() > 0, + ensures + self.well_formed(), + self@ == old(self)@.subrange(1, old(self)@.len() as int), + v == old(self)@[0], + { + assert(self.wf_perm(0)); + + let first_ptr = self.head.unwrap().clone(); + let tracked (first_perm, first_dealloc) = self.perms.borrow_mut().tracked_remove(0); + let first_node = first_ptr.into_inner(Tracked(first_perm), Tracked(first_dealloc)); + + let v = first_node.value; + + match &first_node.next { + None => { + self.tail = None; + self.head = None; + + proof { + assert_by_contradiction!(self.ptrs@.len() == 1, { + assert(old(self).wf_perm(1)); + let actual_second_u64 = self.next_of(0); + }); + } + } + Some(second_ptr) => { + self.head = Some(second_ptr.clone()); + + assert(old(self)@.len() != 1); + assert(old(self)@.len() >= 2); + assert(old(self).wf_perm(1)); + + let ghost actual_second_u64 = self.next_of(0); + + let tracked (mut second_perm, second_dealloc) = self.perms.borrow_mut().tracked_remove(1); + let mut second_node = second_ptr.take(Tracked(&mut second_perm)); + + second_node.prev = None; + + second_ptr.put(Tracked(&mut second_perm), second_node); + proof { + self.perms.borrow_mut().tracked_insert(1, (second_perm, second_dealloc)); + + assert forall|j: nat| 1 <= j && j < old(self)@.len() implies self.perms@.dom().contains(j) by { + assert(old(self).wf_perm(j)); + }; + + self.perms.borrow_mut().tracked_map_keys_in_place( + Map::::new( + |j: nat| 0 <= j && j < old(self).view().len() - 1, + |j: nat| (j + 1) as nat, + ) + ); + } + } + } + + proof { + self.ptrs@ = self.ptrs@.subrange(1, self.ptrs@.len() as int); + + if self.ptrs@.len() > 0 { + assert(self.wf_perm(0)); + } + + assert(forall|i: nat| i < self.view().len() && old(self).wf_perm(i + 1) ==> self.wf_perm(i)); + + assert forall|i: int| 0 <= i && i < self@.len() implies + #[trigger] self@[i] == old(self)@.subrange(1, old(self)@.len() as int)[i] by { + assert(old(self).wf_perm(i as nat + 1)); // trigger + } + + assert(self@ =~= old(self)@.subrange(1, old(self)@.len() as int)); + } + + v + } + + pub fn push_front(&mut self, v: V) + requires old(self).well_formed(), + ensures self.well_formed(), self@ == seq![v].add(old(self)@), + { + match &self.head { + None => { + // Special case: list is empty + + proof { + assert_by_contradiction!(self.ptrs@.len() == 0, { + assert(self.wf_perm((self.ptrs@.len() - 1) as nat)); + }); + } + + self.push_empty_case(v); + assert(self@ =~= seq![v].add(old(self)@)); + } + Some(head_ptr) => { + assert(self.ptrs@.len() > 0); + assert(self.wf_perm(0)); + + let tracked (mut head_perm, head_dealloc) = self.perms.borrow_mut().tracked_remove(0); + let mut head_node = head_ptr.take(Tracked(&mut head_perm)); + let second_ptr = head_node.next; + + let (ptr, Tracked(perm), Tracked(dealloc)) = PPtr::new( + Node:: { prev: None, next: Some(head_ptr.clone()), value: v } + ); + + head_node.prev = Some(ptr.clone()); + head_node.next = second_ptr; + head_ptr.put(Tracked(&mut head_perm), head_node); + proof { + self.perms.borrow_mut().tracked_insert(0, (head_perm, head_dealloc)); + assert forall|j: nat| 0 <= j && j < old(self)@.len() implies self.perms@.dom().contains(j) by { + assert(old(self).wf_perm(j)); + } + + self.perms.borrow_mut().tracked_map_keys_in_place( + Map::::new( + |j: nat| 1 <= j && j <= old(self).view().len(), + |j: nat| (j - 1) as nat, + ) + ); + + self.perms.borrow_mut().tracked_insert(0, (perm, dealloc)); + self.ptrs@ = seq![ptr].add(self.ptrs@); + } + self.head = Some(ptr); + + let ghost i = 1; + let ghost next_of_i = self.next_of(i); + + assert(self.wf_perm(1)); + assert(self.wf_perm(0)); + assert(forall|i: nat| 1 <= i && i <= old(self).ptrs@.len() && + old(self).wf_perm((i - 1) as nat) ==> #[trigger] self.wf_perm(i)); + + assert(self@[0] == v); + assert forall|i: int| 1 <= i && i <= self.ptrs@.len() as int - 1 implies old(self)@[i - 1] == self@[i] by { + assert(old(self).wf_perm((i - 1) as nat)); // trigger + } + assert(self@ =~= seq![v].add(old(self)@)); + } + } + } +} + +pub struct Iterator<'a, V> { + l: &'a DoublyLinkedList, + cur: Option>>, + index: Ghost, +} + +impl<'a, V> Iterator<'a, V> { + pub closed spec fn list(&self) -> &'a DoublyLinkedList { + self.l + } + + pub closed spec fn index(&self) -> nat { + self.index@ + } + + pub closed spec fn valid(&self) -> bool { + &&& self.list().well_formed() + &&& self.index@ < self.list()@.len() + &&& self.cur.is_some() && self.cur.unwrap() =~= self.l.ptrs@[self.index@ as int] + } + + pub fn new(l: &'a DoublyLinkedList) -> (it: Self) + requires l.well_formed(), l@.len() > 0, + ensures it.valid(), it.index() == 0, it.list() == l, + { + Iterator { + l, + cur: l.head, + index: Ghost(0), + } + } + + pub fn value(&self) -> (v: &V) + requires self.valid(), + ensures v == self.list()@[self.index() as int], + { + let cur = self.cur.unwrap(); + assert(self.l.wf_perm(self.index())); + let tracked perm = self.l.perms.borrow().tracked_borrow(self.index()); + let node = cur.borrow(Tracked(&perm.0)); + &node.value + } + + pub fn move_next(&mut self) -> (good: bool) + requires old(self).valid(), + ensures + old(self).list() == self.list(), + good == (old(self).index() < old(self).list()@.len() - 1), + good ==> (self.valid() && self.index() == old(self).index() + 1), + { + assert(self.l.wf_perm(self.index())); + let cur = self.cur.unwrap(); + let tracked perm = self.l.perms.borrow().tracked_borrow(self.index()); + let node = cur.borrow(Tracked(&perm.0)); + + proof { + self.index@ = self.index@ + 1; + } + match &node.next { + None => { + self.cur = None; + false + } + Some(next_ptr) => { + self.cur = Some(next_ptr.clone()); + true + } + } + } +} + +} + +} // verus! +/// !!MAIN!!PRE_END!! + +verus! { +mod main { +use vstd::prelude::*; +use super::doubly_linked_list::{DoublyLinkedList, Iterator}; +pub fn run() { + let mut t = DoublyLinkedList::::new(); + + t.push_back(2); + t.push_back(3); + t.push_front(1); // 1, 2, 3 + + let mut it = Iterator::new(&t); + let v1 = it.value(); + assert(*v1 == 1); + let g = it.move_next(); + let v2 = it.value(); + assert(*v2 == 2); + let _ = it.move_next(); + let v3 = it.value(); + assert(*v3 == 3); + let g = it.move_next(); + assert(!g); + + let x = t.pop_back(); // 3 + let y = t.pop_front(); // 1 + let z = t.pop_front(); // 2 + + assert(x == 3); + assert(y == 1); + assert(z == 2); +} + +} + +fn main() { + main::run(); +} +} // verus! diff --git a/milli/experiments.sh b/milli/experiments.sh index 59f172e..fd669b5 100644 --- a/milli/experiments.sh +++ b/milli/experiments.sh @@ -1,4 +1,6 @@ +. "$HOME/.cargo/env" + eval $(opam env --switch=4.14.1) . util/verifiers-exe-vars