diff options
| author | Son Ho | 2023-01-27 18:15:58 +0100 | 
|---|---|---|
| committer | Son HO | 2023-06-04 21:54:38 +0200 | 
| commit | 252dd74608c8feaffbcaa703aa029e95ea528f8f (patch) | |
| tree | c9c0f4358a4e0deadfb2e7a945eba6bd0b01927e /backends/hol4 | |
| parent | ceb8447d10a395e9657a90ea656dd1218fa19a69 (diff) | |
Make progress on primitivesScript
Diffstat (limited to '')
| -rw-r--r-- | backends/hol4/ilistScript.sml | 82 | ||||
| -rw-r--r-- | backends/hol4/ilistTheory.sig | 63 | ||||
| -rw-r--r-- | backends/hol4/primitivesArithScript.sml | 55 | ||||
| -rw-r--r-- | backends/hol4/primitivesArithTheory.sig | 9 | ||||
| -rw-r--r-- | backends/hol4/primitivesScript.sml | 44 | ||||
| -rw-r--r-- | backends/hol4/primitivesTheory.sig | 291 | 
6 files changed, 333 insertions, 211 deletions
| diff --git a/backends/hol4/ilistScript.sml b/backends/hol4/ilistScript.sml new file mode 100644 index 00000000..3e17dcc8 --- /dev/null +++ b/backends/hol4/ilistScript.sml @@ -0,0 +1,82 @@ +open HolKernel boolLib bossLib Parse +open boolTheory arithmeticTheory integerTheory intLib listTheory stringTheory + +open primitivesArithTheory primitivesBaseTacLib + +(* The following theory contains alternative definitions of functions operating +   on lists like “EL” or “LENGTH”, but this time using integers rather than +   natural numbers. + +   By using integers, we make sure we don't have to convert back and forth +   between integers and natural numbers, which is extremely cumbersome in +   the proofs. + *) + +val _ = new_theory "ilist" + +val len_def = Define ‘ +  len [] : int = 0 /\ +  len (x :: ls) : int = 1 + len ls +’ + +(* Return the ith element of a list. + +   Remark: we initially added the following case, so that we wouldn't need the +   premise [i < len ls] is [index_eq_EL]: +   “index (i : int) [] = EL (Num i) []” + *) +val index_def = Define ‘ +  index (i : int) [] = EL (Num i) [] ∧ +  index (i : int) (x :: ls) = if i = 0 then x else (if 0 < i then index (i - 1) ls else ARB) +’ + +val update_def = Define ‘ +  update ([] : 'a list) (i : int) (y : 'a) : 'a list = [] ∧ + +  update (x :: ls) (i : int) y = +    if i = 0 then y :: ls else (if 0 < i then x :: update ls (i - 1) y else x :: ls) +’ + +Theorem len_eq_LENGTH: +  ∀ls. len ls = &(LENGTH ls) +Proof +  Induct_on ‘ls’ >> fs [len_def] >> cooper_tac +QED + +Theorem index_eq_EL: +  ∀(i: int) ls. +    0 ≤ i ⇒ +    i < len ls ⇒ +    index i ls = EL (Num i) ls +Proof   +  Induct_on ‘ls’ >> rpt strip_tac >> fs [len_def, index_def] >> +  Cases_on ‘i = 0’ >> fs [] >> +  (* TODO: automate *) +  sg ‘0 < i’ >- cooper_tac >> fs [] >> +  Cases_on ‘Num i’ >- (exfalso >> cooper_tac) >> fs [] >> +  last_assum (qspec_assume ‘i - 1’) >> +  pop_assum sg_premise_tac >- cooper_tac >> +  sg ‘n = Num (i - 1)’ >- cooper_tac >> fs [] >> +  last_assum irule >> cooper_tac +QED + +Theorem len_append: +  ∀l1 l2. len (l1 ++ l2) = len l1 + len l2 +Proof +  rw [len_eq_LENGTH] >> cooper_tac +QED + +Theorem append_len_eq: +  (∀l1 l2 l1' l2'. +       len l1 = len l1' ⇒ +       (l1 ⧺ l2 = l1' ⧺ l2' ⇔ l1 = l1' ∧ l2 = l2')) ∧ +  (∀l1 l2 l1' l2'. +        len l2 = len l2' ⇒ +        (l1 ⧺ l2 = l1' ⧺ l2' ⇔ l1 = l1' ∧ l2 = l2')) +Proof +  rw [len_eq_LENGTH] >> fs [APPEND_11_LENGTH] +QED + +(* TODO: prove more theorems, and add rewriting theorems *) + +val _ = export_theory () diff --git a/backends/hol4/ilistTheory.sig b/backends/hol4/ilistTheory.sig new file mode 100644 index 00000000..9612f063 --- /dev/null +++ b/backends/hol4/ilistTheory.sig @@ -0,0 +1,63 @@ +signature ilistTheory = +sig +  type thm = Thm.thm +   +  (*  Definitions  *) +    val index_def : thm +    val len_def : thm +    val update_def : thm +   +  (*  Theorems  *) +    val append_len_eq : thm +    val index_eq_EL : thm +    val len_append : thm +    val len_eq_LENGTH : thm +   +  val ilist_grammars : type_grammar.grammar * term_grammar.grammar +(* +   [primitivesArith] Parent theory of "ilist" +    +   [string] Parent theory of "ilist" +    +   [index_def]  Definition +       +      ⊢ (∀i. index i [] = EL (Num i) []) ∧ +        ∀i x ls. +          index i (x::ls) = +          if i = 0 then x else if 0 < i then index (i − 1) ls else ARB +    +   [len_def]  Definition +       +      ⊢ len [] = 0 ∧ ∀x ls. len (x::ls) = 1 + len ls +    +   [update_def]  Definition +       +      ⊢ (∀i y. update [] i y = []) ∧ +        ∀x ls i y. +          update (x::ls) i y = +          if i = 0 then y::ls +          else if 0 < i then x::update ls (i − 1) y +          else x::ls +    +   [append_len_eq]  Theorem +       +      ⊢ (∀l1 l2 l1' l2'. +           len l1 = len l1' ⇒ (l1 ⧺ l2 = l1' ⧺ l2' ⇔ l1 = l1' ∧ l2 = l2')) ∧ +        ∀l1 l2 l1' l2'. +          len l2 = len l2' ⇒ (l1 ⧺ l2 = l1' ⧺ l2' ⇔ l1 = l1' ∧ l2 = l2') +    +   [index_eq_EL]  Theorem +       +      ⊢ ∀i ls. 0 ≤ i ⇒ i < len ls ⇒ index i ls = EL (Num i) ls +    +   [len_append]  Theorem +       +      ⊢ ∀l1 l2. len (l1 ⧺ l2) = len l1 + len l2 +    +   [len_eq_LENGTH]  Theorem +       +      ⊢ ∀ls. len ls = &LENGTH ls +    +    +*) +end diff --git a/backends/hol4/primitivesArithScript.sml b/backends/hol4/primitivesArithScript.sml index 79d94698..eb2548fd 100644 --- a/backends/hol4/primitivesArithScript.sml +++ b/backends/hol4/primitivesArithScript.sml @@ -6,8 +6,27 @@ val _ = new_theory "primitivesArith"  (* TODO: we need a better library of lemmas about arithmetic *) -(* We generate and save an induction theorem for positive integers *) -Theorem int_induction: +val not_le_eq_gt = store_thm("not_le_eq_gt", “!(x y: int). ~(x <= y) <=> x > y”, cooper_tac) +val not_lt_eq_ge = store_thm("not_lt_eq_ge", “!(x y: int). ~(x < y) <=> x >= y”, cooper_tac) +(* TODO: add gsymed versions of those as rewriting theorems by default (we only want to +   manipulate ‘<’ and ‘≤’) *) +val not_ge_eq_lt = store_thm("not_ge_eq_lt", “!(x y: int). ~(x >= y) <=> x < y”, cooper_tac) +val not_gt_eq_le = store_thm("not_gt_eq_le", “!(x y: int). ~(x > y) <=> x <= y”, cooper_tac) + +val ge_eq_le = store_thm("ge_eq_le", “!(x y : int). x >= y <=> y <= x”, cooper_tac) +val le_eq_ge = store_thm("le_eq_ge", “!(x y : int). x <= y <=> y >= x”, cooper_tac) +val gt_eq_lt = store_thm("gt_eq_lt", “!(x y : int). x > y <=> y < x”, cooper_tac) +val lt_eq_gt = store_thm("lt_eq_gt", “!(x y : int). x < y <=> y > x”, cooper_tac) + +(* + * We generate and save an induction theorem for positive integers + *) + +(* This is the induction theorem we want. + +   Unfortunately, it often can't be applied by [Induct_on]. + *) +Theorem int_induction_ideal:    !(P : int -> bool). P 0 /\ (!i. 0 <= i /\ P i ==> P (i+1)) ==> !i. 0 <= i ==> P i  Proof    ntac 4 strip_tac >> @@ -21,20 +40,26 @@ Proof    rw [] >> try_tac cooper_tac  QED -val _ = TypeBase.update_induction int_induction - -(* TODO: add those as rewriting theorems by default *) -val not_le_eq_gt = store_thm("not_le_eq_gt", “!(x y: int). ~(x <= y) <=> x > y”, cooper_tac) -val not_lt_eq_ge = store_thm("not_lt_eq_ge", “!(x y: int). ~(x < y) <=> x >= y”, cooper_tac) -val not_ge_eq_lt = store_thm("not_ge_eq_lt", “!(x y: int). ~(x >= y) <=> x < y”, cooper_tac) -val not_gt_eq_le = store_thm("not_gt_eq_le", “!(x y: int). ~(x > y) <=> x <= y”, cooper_tac) +(* This induction theorem works well with [Induct_on] *) +Theorem int_induction: +  !(P : int -> bool). (∀i. i < 0 ⇒ P i) ∧ P 0 /\ (!i. P i ==> P (i+1)) ==> !i. P i +Proof +  ntac 3 strip_tac >> +  Cases_on ‘i < 0’ >- (last_assum irule >> fs []) >> +  fs [not_lt_eq_ge] >> +  Induct_on ‘Num i’ >> rpt strip_tac >> pop_last_assum ignore_tac +  >-(sg ‘i = 0’ >- cooper_tac >> fs []) >> +  last_assum (qspec_assume ‘i-1’) >> +  fs [] >> pop_assum irule >> +  rw [] >> try_tac cooper_tac >> +  first_assum (qspec_assume ‘i - 1’) >> +  pop_assum irule >> +  rw [] >> try_tac cooper_tac +QED -val ge_eq_le = store_thm("ge_eq_le", “!(x y : int). x >= y <=> y <= x”, cooper_tac) -val le_eq_ge = store_thm("le_eq_ge", “!(x y : int). x <= y <=> y >= x”, cooper_tac) -val gt_eq_lt = store_thm("gt_eq_lt", “!(x y : int). x > y <=> y < x”, cooper_tac) -val lt_eq_gt = store_thm("lt_eq_gt", “!(x y : int). x < y <=> y > x”, cooper_tac) +val _ = TypeBase.update_induction int_induction -Theorem int_of_num: +Theorem int_of_num_id:    ∀i. 0 ≤ i ⇒ &Num i = i  Proof    fs [INT_OF_NUM] @@ -64,7 +89,7 @@ Proof    imp_res_tac int_of_num >>    (* Associativity of & *)    pure_rewrite_tac [int_add] >> -  fs [] +  cooper_tac  QED  Theorem num_sub_1_eq: diff --git a/backends/hol4/primitivesArithTheory.sig b/backends/hol4/primitivesArithTheory.sig index 73a6cf20..b2172b7c 100644 --- a/backends/hol4/primitivesArithTheory.sig +++ b/backends/hol4/primitivesArithTheory.sig @@ -7,7 +7,8 @@ sig      val gt_eq_lt : thm      val int_add : thm      val int_induction : thm -    val int_of_num : thm +    val int_induction_ideal : thm +    val int_of_num_id : thm      val int_of_num_inj : thm      val le_eq_ge : thm      val lt_eq_gt : thm @@ -44,9 +45,13 @@ sig     [int_induction]  Theorem +      ⊢ ∀P. (∀i. i < 0 ⇒ P i) ∧ P 0 ∧ (∀i. P i ⇒ P (i + 1)) ⇒ ∀i. P i +    +   [int_induction_ideal]  Theorem +              ⊢ ∀P. P 0 ∧ (∀i. 0 ≤ i ∧ P i ⇒ P (i + 1)) ⇒ ∀i. 0 ≤ i ⇒ P i -   [int_of_num]  Theorem +   [int_of_num_id]  Theorem        ⊢ ∀i. 0 ≤ i ⇒ &Num i = i diff --git a/backends/hol4/primitivesScript.sml b/backends/hol4/primitivesScript.sml index b1dd770b..b7bc978f 100644 --- a/backends/hol4/primitivesScript.sml +++ b/backends/hol4/primitivesScript.sml @@ -1,7 +1,7 @@  open HolKernel boolLib bossLib Parse  open boolTheory arithmeticTheory integerTheory intLib listTheory stringTheory -open primitivesArithTheory primitivesBaseTacLib +open primitivesArithTheory primitivesBaseTacLib ilistTheory  val primitives_theory_name = "primitives"  val _ = new_theory primitives_theory_name @@ -1169,12 +1169,11 @@ val _ = new_constant ("vec_to_list", “:'a vec -> 'a list”)  (* TODO: we could also make ‘mk_vec’ return ‘'a vec’ (no result) *)  val _ = new_constant ("mk_vec", “:'a list -> 'a vec result”) -  val vec_to_list_num_bounds =    new_axiom ("vec_to_list_num_bounds", -    “!v. let l = LENGTH (vec_to_list v) in -     (0:num) <= l /\ l <= Num usize_max”) +    “!v. (0:num) <= LENGTH (vec_to_list v) /\ LENGTH (vec_to_list v) <= Num usize_max”) +(*  Theorem vec_to_list_int_bounds:    !v. 0 <= int_of_num (LENGTH (vec_to_list v)) /\ int_of_num (LENGTH (vec_to_list v)) <= usize_max  Proof @@ -1252,13 +1251,16 @@ Proof    Induct_on ‘ls’ >> Cases_on ‘i’ >> rw [update_def] >>    Cases_on ‘j’ >> fs []  QED +*) +(*  (* TODO: this is the base definition for index. Shall we remove the ‘return’ type? *)  val vec_index_def = Define ‘    vec_index i v =      if usize_to_int i ≤ usize_to_int (vec_len v)      then Return (EL (Num (usize_to_int i)) (vec_to_list v))      else Fail Failure’ +*)  (* TODO: shortcut for qspec_then ... ASSUME_TAC *)  (* TODO: use cooper_tac everywhere *) @@ -1300,6 +1302,7 @@ QED    &n < &m  *) +(*  val vec_insert_back_def = Define ‘    vec_insert_back (v : 'a vec) (i : usize) (x : 'a) = mk_vec (update (vec_to_list v) (Num (usize_to_int i)) x)’ @@ -1326,7 +1329,7 @@ Proof    sg ‘Num (usize_to_int i) < LENGTH (vec_to_list v)’ >-(      (* TODO: automate *)      pure_once_rewrite_tac [gsym INT_LT] >> -    dep_pure_once_rewrite_tac [primitivesArithTheory.int_of_num] >> +    dep_pure_once_rewrite_tac [int_of_num_id] >>      qspec_assume ‘i’ usize_to_int_bounds >> fs []    ) >>    fs [] >> @@ -1336,33 +1339,16 @@ Proof    rw [] >-(      (* TODO: automate *)      irule int_of_num_neq_inj >> -    dep_pure_rewrite_tac [primitivesArithTheory.int_of_num] >> +    dep_pure_rewrite_tac [int_of_num_id] >>      rw [usize_to_int_bounds] >>      metis_tac [int_to_usize_usize_to_int]    ) >>    (* TODO: automate *)    pure_once_rewrite_tac [gsym INT_LT] >> -  dep_pure_once_rewrite_tac [primitivesArithTheory.int_of_num] >> +  dep_pure_once_rewrite_tac [int_of_num_id] >>    qspec_assume ‘j’ usize_to_int_bounds >> fs []  QED - - -(* Small experiment: trying to redefine common functions with integers instead of nums *) -val index_def = Define ‘ -  index (i : int) (x :: ls) = if i = 0 then x else (if 0 < i then index (i - 1) ls else ARB) -’ - -val len_def = Define ‘ -  len [] : int = 0 /\ -  len (x :: ls) : int = 1 + len ls -’ - -val update_def = Define ‘ -  update ([] : 'a list) (i : int) (y : 'a) : 'a list = [] ∧ - -  update (x :: ls) (i : int) y = -    if i = 0 then y :: ls else (if 0 < i then x :: update ls (i - 1) y else x :: ls) -’ +*)  Theorem update_len:    ∀ls i y. len (update ls i y) = len ls @@ -1417,8 +1403,11 @@ QED  Theorem vec_to_list_int_bounds:    !v. 0 <= len (vec_to_list v) /\ len (vec_to_list v) <= usize_max  Proof -  (* TODO *) -  cheat +  gen_tac >> +  qspec_assume ‘v’ vec_to_list_num_bounds >> +  fs [len_eq_LENGTH] >> +  assume_tac usize_bounds >> fs [u16_max_def] >> +  cooper_tac  QED  val vec_len_def = Define ‘vec_len v = int_to_usize (len (vec_to_list v))’ @@ -1438,7 +1427,6 @@ val vec_index_def = Define ‘      then Return (index (usize_to_int i) (vec_to_list v))      else Fail Failure’ -(* TODO: *)  val mk_vec_spec = new_axiom ("mk_vec_spec",    “∀l. len l ≤ usize_max ⇒ ∃v. mk_vec l = Return v ∧ vec_to_list v = l”) diff --git a/backends/hol4/primitivesTheory.sig b/backends/hol4/primitivesTheory.sig index 92f02af8..23846737 100644 --- a/backends/hol4/primitivesTheory.sig +++ b/backends/hol4/primitivesTheory.sig @@ -85,14 +85,12 @@ sig      val i8_mul_def : thm      val i8_rem_def : thm      val i8_sub_def : thm -    val index_def : thm      val int_rem_def : thm      val isize_add_def : thm      val isize_div_def : thm      val isize_mul_def : thm      val isize_rem_def : thm      val isize_sub_def : thm -    val len_def : thm      val massert_def : thm      val mem_replace_back_def : thm      val mem_replace_fwd_def : thm @@ -142,7 +140,6 @@ sig      val u8_mul_def : thm      val u8_rem_def : thm      val u8_sub_def : thm -    val update_def : thm      val usize_add_def : thm      val usize_div_def : thm      val usize_mul_def : thm @@ -151,8 +148,6 @@ sig      val vec_index_def : thm      val vec_insert_back_def : thm      val vec_len_def : thm -    val vec_new_def : thm -    val vec_push_back_def : thm    (*  Theorems  *)      val datatype_error : thm @@ -237,7 +232,6 @@ sig      val u8_mul_eq : thm      val u8_rem_eq : thm      val u8_sub_eq : thm -    val update_ind : thm      val update_len : thm      val update_spec : thm      val usize_add_eq : thm @@ -251,209 +245,208 @@ sig    val primitives_grammars : type_grammar.grammar * term_grammar.grammar  (* -   [primitivesArith] Parent theory of "primitives" +   [ilist] Parent theory of "primitives" -   [string] Parent theory of "primitives" +   [isize_bounds]  Axiom +       +      [oracles: ] [axioms: isize_bounds] [] +      ⊢ isize_min ≤ i16_min ∧ isize_max ≥ i16_max -   [mk_vec_spec]  Axiom +   [usize_bounds]  Axiom -      [oracles: ] [axioms: mk_vec_spec] [] -      ⊢ ∀l. len l ≤ usize_max ⇒ ∃v. mk_vec l = Return v ∧ vec_to_list v = l +      [oracles: ] [axioms: usize_bounds] [] ⊢ usize_max ≥ u16_max -   [vec_to_list_num_bounds]  Axiom +   [isize_to_int_bounds]  Axiom -      [oracles: ] [axioms: vec_to_list_num_bounds] [] -      ⊢ ∀v. (let l = LENGTH (vec_to_list v) in 0 ≤ l ∧ l ≤ Num usize_max) +      [oracles: ] [axioms: isize_to_int_bounds] [] +      ⊢ ∀n. isize_min ≤ isize_to_int n ∧ isize_to_int n ≤ isize_max -   [int_to_usize_usize_to_int]  Axiom +   [i8_to_int_bounds]  Axiom -      [oracles: ] [axioms: int_to_usize_usize_to_int] [] -      ⊢ ∀i. int_to_usize (usize_to_int i) = i +      [oracles: ] [axioms: i8_to_int_bounds] [] +      ⊢ ∀n. i8_min ≤ i8_to_int n ∧ i8_to_int n ≤ i8_max -   [int_to_u128_u128_to_int]  Axiom +   [i16_to_int_bounds]  Axiom -      [oracles: ] [axioms: int_to_u128_u128_to_int] [] -      ⊢ ∀i. int_to_u128 (u128_to_int i) = i +      [oracles: ] [axioms: i16_to_int_bounds] [] +      ⊢ ∀n. i16_min ≤ i16_to_int n ∧ i16_to_int n ≤ i16_max -   [int_to_u64_u64_to_int]  Axiom +   [i32_to_int_bounds]  Axiom -      [oracles: ] [axioms: int_to_u64_u64_to_int] [] -      ⊢ ∀i. int_to_u64 (u64_to_int i) = i +      [oracles: ] [axioms: i32_to_int_bounds] [] +      ⊢ ∀n. i32_min ≤ i32_to_int n ∧ i32_to_int n ≤ i32_max -   [int_to_u32_u32_to_int]  Axiom +   [i64_to_int_bounds]  Axiom -      [oracles: ] [axioms: int_to_u32_u32_to_int] [] -      ⊢ ∀i. int_to_u32 (u32_to_int i) = i +      [oracles: ] [axioms: i64_to_int_bounds] [] +      ⊢ ∀n. i64_min ≤ i64_to_int n ∧ i64_to_int n ≤ i64_max -   [int_to_u16_u16_to_int]  Axiom +   [i128_to_int_bounds]  Axiom -      [oracles: ] [axioms: int_to_u16_u16_to_int] [] -      ⊢ ∀i. int_to_u16 (u16_to_int i) = i +      [oracles: ] [axioms: i128_to_int_bounds] [] +      ⊢ ∀n. i128_min ≤ i128_to_int n ∧ i128_to_int n ≤ i128_max -   [int_to_u8_u8_to_int]  Axiom +   [usize_to_int_bounds]  Axiom -      [oracles: ] [axioms: int_to_u8_u8_to_int] [] -      ⊢ ∀i. int_to_u8 (u8_to_int i) = i +      [oracles: ] [axioms: usize_to_int_bounds] [] +      ⊢ ∀n. 0 ≤ usize_to_int n ∧ usize_to_int n ≤ usize_max -   [int_to_isize_isize_to_int]  Axiom +   [u8_to_int_bounds]  Axiom -      [oracles: ] [axioms: int_to_isize_isize_to_int] [] -      ⊢ ∀i. int_to_isize (isize_to_int i) = i +      [oracles: ] [axioms: u8_to_int_bounds] [] +      ⊢ ∀n. 0 ≤ u8_to_int n ∧ u8_to_int n ≤ u8_max -   [int_to_i128_i128_to_int]  Axiom +   [u16_to_int_bounds]  Axiom -      [oracles: ] [axioms: int_to_i128_i128_to_int] [] -      ⊢ ∀i. int_to_i128 (i128_to_int i) = i +      [oracles: ] [axioms: u16_to_int_bounds] [] +      ⊢ ∀n. 0 ≤ u16_to_int n ∧ u16_to_int n ≤ u16_max -   [int_to_i64_i64_to_int]  Axiom +   [u32_to_int_bounds]  Axiom -      [oracles: ] [axioms: int_to_i64_i64_to_int] [] -      ⊢ ∀i. int_to_i64 (i64_to_int i) = i +      [oracles: ] [axioms: u32_to_int_bounds] [] +      ⊢ ∀n. 0 ≤ u32_to_int n ∧ u32_to_int n ≤ u32_max -   [int_to_i32_i32_to_int]  Axiom +   [u64_to_int_bounds]  Axiom -      [oracles: ] [axioms: int_to_i32_i32_to_int] [] -      ⊢ ∀i. int_to_i32 (i32_to_int i) = i +      [oracles: ] [axioms: u64_to_int_bounds] [] +      ⊢ ∀n. 0 ≤ u64_to_int n ∧ u64_to_int n ≤ u64_max -   [int_to_i16_i16_to_int]  Axiom +   [u128_to_int_bounds]  Axiom -      [oracles: ] [axioms: int_to_i16_i16_to_int] [] -      ⊢ ∀i. int_to_i16 (i16_to_int i) = i +      [oracles: ] [axioms: u128_to_int_bounds] [] +      ⊢ ∀n. 0 ≤ u128_to_int n ∧ u128_to_int n ≤ u128_max -   [int_to_i8_i8_to_int]  Axiom +   [isize_to_int_int_to_isize]  Axiom -      [oracles: ] [axioms: int_to_i8_i8_to_int] [] -      ⊢ ∀i. int_to_i8 (i8_to_int i) = i +      [oracles: ] [axioms: isize_to_int_int_to_isize] [] +      ⊢ ∀n. isize_min ≤ n ∧ n ≤ isize_max ⇒ +            isize_to_int (int_to_isize n) = n -   [u128_to_int_int_to_u128]  Axiom +   [i8_to_int_int_to_i8]  Axiom -      [oracles: ] [axioms: u128_to_int_int_to_u128] [] -      ⊢ ∀n. 0 ≤ n ∧ n ≤ u128_max ⇒ u128_to_int (int_to_u128 n) = n +      [oracles: ] [axioms: i8_to_int_int_to_i8] [] +      ⊢ ∀n. i8_min ≤ n ∧ n ≤ i8_max ⇒ i8_to_int (int_to_i8 n) = n -   [u64_to_int_int_to_u64]  Axiom +   [i16_to_int_int_to_i16]  Axiom -      [oracles: ] [axioms: u64_to_int_int_to_u64] [] -      ⊢ ∀n. 0 ≤ n ∧ n ≤ u64_max ⇒ u64_to_int (int_to_u64 n) = n +      [oracles: ] [axioms: i16_to_int_int_to_i16] [] +      ⊢ ∀n. i16_min ≤ n ∧ n ≤ i16_max ⇒ i16_to_int (int_to_i16 n) = n -   [u32_to_int_int_to_u32]  Axiom +   [i32_to_int_int_to_i32]  Axiom -      [oracles: ] [axioms: u32_to_int_int_to_u32] [] -      ⊢ ∀n. 0 ≤ n ∧ n ≤ u32_max ⇒ u32_to_int (int_to_u32 n) = n +      [oracles: ] [axioms: i32_to_int_int_to_i32] [] +      ⊢ ∀n. i32_min ≤ n ∧ n ≤ i32_max ⇒ i32_to_int (int_to_i32 n) = n -   [u16_to_int_int_to_u16]  Axiom +   [i64_to_int_int_to_i64]  Axiom -      [oracles: ] [axioms: u16_to_int_int_to_u16] [] -      ⊢ ∀n. 0 ≤ n ∧ n ≤ u16_max ⇒ u16_to_int (int_to_u16 n) = n +      [oracles: ] [axioms: i64_to_int_int_to_i64] [] +      ⊢ ∀n. i64_min ≤ n ∧ n ≤ i64_max ⇒ i64_to_int (int_to_i64 n) = n -   [u8_to_int_int_to_u8]  Axiom +   [i128_to_int_int_to_i128]  Axiom -      [oracles: ] [axioms: u8_to_int_int_to_u8] [] -      ⊢ ∀n. 0 ≤ n ∧ n ≤ u8_max ⇒ u8_to_int (int_to_u8 n) = n +      [oracles: ] [axioms: i128_to_int_int_to_i128] [] +      ⊢ ∀n. i128_min ≤ n ∧ n ≤ i128_max ⇒ i128_to_int (int_to_i128 n) = n     [usize_to_int_int_to_usize]  Axiom        [oracles: ] [axioms: usize_to_int_int_to_usize] []        ⊢ ∀n. 0 ≤ n ∧ n ≤ usize_max ⇒ usize_to_int (int_to_usize n) = n -   [i128_to_int_int_to_i128]  Axiom -       -      [oracles: ] [axioms: i128_to_int_int_to_i128] [] -      ⊢ ∀n. i128_min ≤ n ∧ n ≤ i128_max ⇒ i128_to_int (int_to_i128 n) = n -    -   [i64_to_int_int_to_i64]  Axiom +   [u8_to_int_int_to_u8]  Axiom -      [oracles: ] [axioms: i64_to_int_int_to_i64] [] -      ⊢ ∀n. i64_min ≤ n ∧ n ≤ i64_max ⇒ i64_to_int (int_to_i64 n) = n +      [oracles: ] [axioms: u8_to_int_int_to_u8] [] +      ⊢ ∀n. 0 ≤ n ∧ n ≤ u8_max ⇒ u8_to_int (int_to_u8 n) = n -   [i32_to_int_int_to_i32]  Axiom +   [u16_to_int_int_to_u16]  Axiom -      [oracles: ] [axioms: i32_to_int_int_to_i32] [] -      ⊢ ∀n. i32_min ≤ n ∧ n ≤ i32_max ⇒ i32_to_int (int_to_i32 n) = n +      [oracles: ] [axioms: u16_to_int_int_to_u16] [] +      ⊢ ∀n. 0 ≤ n ∧ n ≤ u16_max ⇒ u16_to_int (int_to_u16 n) = n -   [i16_to_int_int_to_i16]  Axiom +   [u32_to_int_int_to_u32]  Axiom -      [oracles: ] [axioms: i16_to_int_int_to_i16] [] -      ⊢ ∀n. i16_min ≤ n ∧ n ≤ i16_max ⇒ i16_to_int (int_to_i16 n) = n +      [oracles: ] [axioms: u32_to_int_int_to_u32] [] +      ⊢ ∀n. 0 ≤ n ∧ n ≤ u32_max ⇒ u32_to_int (int_to_u32 n) = n -   [i8_to_int_int_to_i8]  Axiom +   [u64_to_int_int_to_u64]  Axiom -      [oracles: ] [axioms: i8_to_int_int_to_i8] [] -      ⊢ ∀n. i8_min ≤ n ∧ n ≤ i8_max ⇒ i8_to_int (int_to_i8 n) = n +      [oracles: ] [axioms: u64_to_int_int_to_u64] [] +      ⊢ ∀n. 0 ≤ n ∧ n ≤ u64_max ⇒ u64_to_int (int_to_u64 n) = n -   [isize_to_int_int_to_isize]  Axiom +   [u128_to_int_int_to_u128]  Axiom -      [oracles: ] [axioms: isize_to_int_int_to_isize] [] -      ⊢ ∀n. isize_min ≤ n ∧ n ≤ isize_max ⇒ -            isize_to_int (int_to_isize n) = n +      [oracles: ] [axioms: u128_to_int_int_to_u128] [] +      ⊢ ∀n. 0 ≤ n ∧ n ≤ u128_max ⇒ u128_to_int (int_to_u128 n) = n -   [u128_to_int_bounds]  Axiom +   [int_to_i8_i8_to_int]  Axiom -      [oracles: ] [axioms: u128_to_int_bounds] [] -      ⊢ ∀n. 0 ≤ u128_to_int n ∧ u128_to_int n ≤ u128_max +      [oracles: ] [axioms: int_to_i8_i8_to_int] [] +      ⊢ ∀i. int_to_i8 (i8_to_int i) = i -   [u64_to_int_bounds]  Axiom +   [int_to_i16_i16_to_int]  Axiom -      [oracles: ] [axioms: u64_to_int_bounds] [] -      ⊢ ∀n. 0 ≤ u64_to_int n ∧ u64_to_int n ≤ u64_max +      [oracles: ] [axioms: int_to_i16_i16_to_int] [] +      ⊢ ∀i. int_to_i16 (i16_to_int i) = i -   [u32_to_int_bounds]  Axiom +   [int_to_i32_i32_to_int]  Axiom -      [oracles: ] [axioms: u32_to_int_bounds] [] -      ⊢ ∀n. 0 ≤ u32_to_int n ∧ u32_to_int n ≤ u32_max +      [oracles: ] [axioms: int_to_i32_i32_to_int] [] +      ⊢ ∀i. int_to_i32 (i32_to_int i) = i -   [u16_to_int_bounds]  Axiom +   [int_to_i64_i64_to_int]  Axiom -      [oracles: ] [axioms: u16_to_int_bounds] [] -      ⊢ ∀n. 0 ≤ u16_to_int n ∧ u16_to_int n ≤ u16_max +      [oracles: ] [axioms: int_to_i64_i64_to_int] [] +      ⊢ ∀i. int_to_i64 (i64_to_int i) = i -   [u8_to_int_bounds]  Axiom +   [int_to_i128_i128_to_int]  Axiom -      [oracles: ] [axioms: u8_to_int_bounds] [] -      ⊢ ∀n. 0 ≤ u8_to_int n ∧ u8_to_int n ≤ u8_max +      [oracles: ] [axioms: int_to_i128_i128_to_int] [] +      ⊢ ∀i. int_to_i128 (i128_to_int i) = i -   [usize_to_int_bounds]  Axiom +   [int_to_isize_isize_to_int]  Axiom -      [oracles: ] [axioms: usize_to_int_bounds] [] -      ⊢ ∀n. 0 ≤ usize_to_int n ∧ usize_to_int n ≤ usize_max +      [oracles: ] [axioms: int_to_isize_isize_to_int] [] +      ⊢ ∀i. int_to_isize (isize_to_int i) = i -   [i128_to_int_bounds]  Axiom +   [int_to_u8_u8_to_int]  Axiom -      [oracles: ] [axioms: i128_to_int_bounds] [] -      ⊢ ∀n. i128_min ≤ i128_to_int n ∧ i128_to_int n ≤ i128_max +      [oracles: ] [axioms: int_to_u8_u8_to_int] [] +      ⊢ ∀i. int_to_u8 (u8_to_int i) = i -   [i64_to_int_bounds]  Axiom +   [int_to_u16_u16_to_int]  Axiom -      [oracles: ] [axioms: i64_to_int_bounds] [] -      ⊢ ∀n. i64_min ≤ i64_to_int n ∧ i64_to_int n ≤ i64_max +      [oracles: ] [axioms: int_to_u16_u16_to_int] [] +      ⊢ ∀i. int_to_u16 (u16_to_int i) = i -   [i32_to_int_bounds]  Axiom +   [int_to_u32_u32_to_int]  Axiom -      [oracles: ] [axioms: i32_to_int_bounds] [] -      ⊢ ∀n. i32_min ≤ i32_to_int n ∧ i32_to_int n ≤ i32_max +      [oracles: ] [axioms: int_to_u32_u32_to_int] [] +      ⊢ ∀i. int_to_u32 (u32_to_int i) = i -   [i16_to_int_bounds]  Axiom +   [int_to_u64_u64_to_int]  Axiom -      [oracles: ] [axioms: i16_to_int_bounds] [] -      ⊢ ∀n. i16_min ≤ i16_to_int n ∧ i16_to_int n ≤ i16_max +      [oracles: ] [axioms: int_to_u64_u64_to_int] [] +      ⊢ ∀i. int_to_u64 (u64_to_int i) = i -   [i8_to_int_bounds]  Axiom +   [int_to_u128_u128_to_int]  Axiom -      [oracles: ] [axioms: i8_to_int_bounds] [] -      ⊢ ∀n. i8_min ≤ i8_to_int n ∧ i8_to_int n ≤ i8_max +      [oracles: ] [axioms: int_to_u128_u128_to_int] [] +      ⊢ ∀i. int_to_u128 (u128_to_int i) = i -   [isize_to_int_bounds]  Axiom +   [int_to_usize_usize_to_int]  Axiom -      [oracles: ] [axioms: isize_to_int_bounds] [] -      ⊢ ∀n. isize_min ≤ isize_to_int n ∧ isize_to_int n ≤ isize_max +      [oracles: ] [axioms: int_to_usize_usize_to_int] [] +      ⊢ ∀i. int_to_usize (usize_to_int i) = i -   [usize_bounds]  Axiom +   [vec_to_list_num_bounds]  Axiom -      [oracles: ] [axioms: usize_bounds] [] ⊢ usize_max ≥ u16_max +      [oracles: ] [axioms: vec_to_list_num_bounds] [] +      ⊢ ∀v. 0 ≤ LENGTH (vec_to_list v) ∧ +            LENGTH (vec_to_list v) ≤ Num usize_max -   [isize_bounds]  Axiom +   [mk_vec_spec]  Axiom -      [oracles: ] [axioms: isize_bounds] [] -      ⊢ isize_min ≤ i16_min ∧ isize_max ≥ i16_max +      [oracles: ] [axioms: mk_vec_spec] [] +      ⊢ ∀l. len l ≤ usize_max ⇒ ∃v. mk_vec l = Return v ∧ vec_to_list v = l     [bind_def]  Definition @@ -648,12 +641,6 @@ sig        ⊢ ∀x y. i8_sub x y = mk_i8 (i8_to_int x − i8_to_int y) -   [index_def]  Definition -       -      ⊢ ∀i x ls. -          index i (x::ls) = -          if i = 0 then x else if 0 < i then index (i − 1) ls else ARB -        [int_rem_def]  Definition        ⊢ ∀x y. @@ -686,10 +673,6 @@ sig        ⊢ ∀x y. isize_sub x y = mk_isize (isize_to_int x − isize_to_int y) -   [len_def]  Definition -       -      ⊢ len [] = 0 ∧ ∀x ls. len (x::ls) = 1 + len ls -        [massert_def]  Definition        ⊢ ∀b. massert b = if b then Return () else Fail Failure @@ -961,15 +944,6 @@ sig        ⊢ ∀x y. u8_sub x y = mk_u8 (u8_to_int x − u8_to_int y) -   [update_def]  Definition -       -      ⊢ (∀i y. update [] i y = []) ∧ -        ∀x ls i y. -          update (x::ls) i y = -          if i = 0 then y::ls -          else if 0 < i then x::update ls (i − 1) y -          else x::ls -        [usize_add_def]  Definition        ⊢ ∀x y. usize_add x y = mk_usize (usize_to_int x + usize_to_int y) @@ -1014,15 +988,6 @@ sig        ⊢ ∀v. vec_len v = int_to_usize (len (vec_to_list v)) -   [vec_new_def]  Definition -       -      ⊢ vec_new = -        case mk_vec [] of Return v => v | Fail v2 => ARB | Loop => ARB -    -   [vec_push_back_def]  Definition -       -      ⊢ ∀v x. vec_push_back v x = mk_vec (vec_to_list v ⧺ [x]) -        [datatype_error]  Theorem        ⊢ DATATYPE (error Failure) @@ -1729,12 +1694,6 @@ sig            ∃z. u8_sub x y = Return z ∧                u8_to_int z = u8_to_int x − u8_to_int y -   [update_ind]  Theorem -       -      ⊢ ∀P. (∀i y. P [] i y) ∧ (∀v0 ls y. P (v0::ls) 0 y) ∧ -            (∀x ls i y. P ls i y ⇒ P (x::ls) (SUC i) y) ⇒ -            ∀v v1 v2. P v v1 v2 -        [update_len]  Theorem        ⊢ ∀ls i y. len (update ls i y) = len ls @@ -1801,9 +1760,9 @@ sig     [vec_insert_back_spec]  Theorem -      [oracles: DISK_THM, cheat] -      [axioms: usize_to_int_bounds, usize_to_int_int_to_usize, mk_vec_spec] -      [] +      [oracles: DISK_THM] +      [axioms: vec_to_list_num_bounds, usize_bounds, +       usize_to_int_int_to_usize, usize_to_int_bounds, mk_vec_spec] []        ⊢ ∀v i x.            usize_to_int i < usize_to_int (vec_len v) ⇒            ∃nv. @@ -1815,13 +1774,13 @@ sig     [vec_len_spec]  Theorem -      [oracles: DISK_THM, cheat] [axioms: ] [] +      [oracles: DISK_THM] [axioms: usize_bounds, vec_to_list_num_bounds] []        ⊢ ∀v. vec_len v = int_to_usize (len (vec_to_list v)) ∧              0 ≤ len (vec_to_list v) ∧ len (vec_to_list v) ≤ usize_max     [vec_to_list_int_bounds]  Theorem -      [oracles: cheat] [axioms: ] [] +      [oracles: DISK_THM] [axioms: usize_bounds, vec_to_list_num_bounds] []        ⊢ ∀v. 0 ≤ len (vec_to_list v) ∧ len (vec_to_list v) ≤ usize_max | 
