summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile29
-rw-r--r--tests/hol4/betree/Holmakefile5
-rw-r--r--tests/hol4/betree/betreeMain_FunsScript.sml1214
-rw-r--r--tests/hol4/betree/betreeMain_FunsTheory.sig1240
-rw-r--r--tests/hol4/betree/betreeMain_OpaqueScript.sml26
-rw-r--r--tests/hol4/betree/betreeMain_OpaqueTheory.sig11
-rw-r--r--tests/hol4/betree/betreeMain_TypesScript.sml76
-rw-r--r--tests/hol4/betree/betreeMain_TypesTheory.sig1751
-rw-r--r--tests/hol4/hashmap/Holmakefile5
-rw-r--r--tests/hol4/hashmap/hashmap_FunsScript.sml567
-rw-r--r--tests/hol4/hashmap/hashmap_FunsTheory.sig550
-rw-r--r--tests/hol4/hashmap/hashmap_TypesScript.sml24
-rw-r--r--tests/hol4/hashmap/hashmap_TypesTheory.sig494
-rw-r--r--tests/hol4/hashmap_on_disk/Holmakefile5
-rw-r--r--tests/hol4/hashmap_on_disk/hashmapMain_FunsScript.sml646
-rw-r--r--tests/hol4/hashmap_on_disk/hashmapMain_FunsTheory.sig608
-rw-r--r--tests/hol4/hashmap_on_disk/hashmapMain_OpaqueScript.sml15
-rw-r--r--tests/hol4/hashmap_on_disk/hashmapMain_OpaqueTheory.sig11
-rw-r--r--tests/hol4/hashmap_on_disk/hashmapMain_TypesScript.sml27
-rw-r--r--tests/hol4/hashmap_on_disk/hashmapMain_TypesTheory.sig568
-rw-r--r--tests/hol4/misc-constants/Holmakefile5
-rw-r--r--tests/hol4/misc-constants/constantsScript.sml225
-rw-r--r--tests/hol4/misc-constants/constantsTheory.sig548
-rw-r--r--tests/hol4/misc-external/Holmakefile5
-rw-r--r--tests/hol4/misc-external/external_FunsScript.sml108
-rw-r--r--tests/hol4/misc-external/external_FunsTheory.sig105
-rw-r--r--tests/hol4/misc-external/external_OpaqueScript.sml25
-rw-r--r--tests/hol4/misc-external/external_OpaqueTheory.sig11
-rw-r--r--tests/hol4/misc-external/external_TypesScript.sml13
-rw-r--r--tests/hol4/misc-external/external_TypesTheory.sig11
-rw-r--r--tests/hol4/misc-loops/Holmakefile5
-rw-r--r--tests/hol4/misc-loops/loops_FunsScript.sml753
-rw-r--r--tests/hol4/misc-loops/loops_FunsTheory.sig731
-rw-r--r--tests/hol4/misc-loops/loops_TypesScript.sml13
-rw-r--r--tests/hol4/misc-loops/loops_TypesTheory.sig94
-rw-r--r--tests/hol4/misc-no_nested_borrows/Holmakefile5
-rw-r--r--tests/hol4/misc-no_nested_borrows/noNestedBorrowsScript.sml590
-rw-r--r--tests/hol4/misc-no_nested_borrows/noNestedBorrowsTheory.sig1596
-rw-r--r--tests/hol4/misc-paper/Holmakefile5
-rw-r--r--tests/hol4/misc-paper/paperScript.sml135
-rw-r--r--tests/hol4/misc-paper/paperTheory.sig210
-rw-r--r--tests/hol4/misc-polonius_list/Holmakefile5
-rw-r--r--tests/hol4/misc-polonius_list/poloniusListScript.sml37
-rw-r--r--tests/hol4/misc-polonius_list/poloniusListTheory.sig120
44 files changed, 13223 insertions, 4 deletions
diff --git a/Makefile b/Makefile
index 9df5f264..606ed3eb 100644
--- a/Makefile
+++ b/Makefile
@@ -119,6 +119,8 @@ trans-no_nested_borrows trans-paper: SUBDIR := misc
tfstar-no_nested_borrows tfstar-paper:
tlean-no_nested_borrows: SUBDIR := misc-no_nested_borrows
tlean-paper: SUBDIR := misc-paper
+thol4-no_nested_borrows: SUBDIR := misc-no_nested_borrows
+thol4-paper: SUBDIR := misc-paper
trans-loops: OPTIONS += -no-state
trans-loops: SUBDIR := misc
@@ -126,18 +128,21 @@ tfstar-loops: OPTIONS += -decreases-clauses -template-clauses
tcoq-loops: OPTIONS += -use-fuel -no-split-files
tlean-loops: SUBDIR := misc-loops
tlean-loops: OPTIONS += -decreases-clauses -template-clauses
+thol4-loops: SUBDIR := misc-loops
trans-hashmap: OPTIONS += -no-state
trans-hashmap: SUBDIR := hashmap
tfstar-hashmap: OPTIONS += -decreases-clauses -template-clauses
tcoq-hashmap: OPTIONS += -use-fuel
tlean-hashmap: OPTIONS += -decreases-clauses -template-clauses
+thol4-hashmap: OPTIONS +=
trans-hashmap_main: OPTIONS +=
trans-hashmap_main: SUBDIR := hashmap_on_disk
tfstar-hashmap_main: OPTIONS += -decreases-clauses -template-clauses
tcoq-hashmap_main: OPTIONS += -use-fuel
tlean-hashmap_main: OPTIONS += -decreases-clauses -template-clauses
+thol4-hashmap_main: OPTIONS +=
transp-polonius_list: OPTIONS += -test-units -test-trans-units -no-split-files -no-state
transp-polonius_list: SUBDIR := misc
@@ -145,6 +150,8 @@ tfstarp-polonius_list: OPTIONS +=
tcoqp-polonius_list: OPTIONS +=
tleanp-polonius_list: SUBDIR := misc-polonius_list
tleanp-polonius_list: OPTIONS +=
+thol4p-polonius_list: SUBDIR := misc-polonius_list
+thol4p-polonius_list: OPTIONS +=
trans-constants: OPTIONS += -test-units -test-trans-units -no-split-files -no-state
trans-constants: SUBDIR := misc
@@ -152,6 +159,8 @@ tfstar-constants: OPTIONS +=
tcoq-constants: OPTIONS +=
tlean-constants: SUBDIR := misc-constants
tlean-constants: OPTIONS +=
+thol4-constants: SUBDIR := misc-constants
+thol4-constants: OPTIONS +=
trans-external: OPTIONS +=
trans-external: SUBDIR := misc
@@ -159,6 +168,8 @@ tfstar-external: OPTIONS +=
tcoq-external: OPTIONS +=
tlean-external: SUBDIR := misc-external
tlean-external: OPTIONS +=
+thol4-external: SUBDIR := misc-external
+thol4-external: OPTIONS +=
BETREE_FSTAR_OPTIONS = -decreases-clauses -template-clauses
transp-betree_main: OPTIONS += -backward-no-state-update
@@ -166,6 +177,7 @@ transp-betree_main: SUBDIR:=betree
tfstarp-betree_main: OPTIONS += $(BETREE_FSTAR_OPTIONS)
tcoqp-betree_main: OPTIONS += -use-fuel
tleanp-betree_main: OPTIONS += $(BETREE_FSTAR_OPTIONS)
+thol4-betree_main: OPTIONS +=
# Additional test on the betree: translate it without `-backward-no-state-update`.
# This generates very ugly code, but is good to test the translation.
@@ -200,14 +212,14 @@ gen-llbcp-%:
.PHONY: trans-%
trans-%: CHARON_TEST_DIR = $(CHARON_TESTS_REGULAR_DIR)
trans-%: FILE = $*
-trans-%: gen-llbc-% tfstar-% tcoq-% tlean-%
+trans-%: gen-llbc-% tfstar-% tcoq-% tlean-% thol4-%
echo "# Test $* done"
# "p" stands for "Polonius"
.PHONY: transp-%
transp-%: CHARON_TEST_DIR = $(CHARON_TESTS_POLONIUS_DIR)
transp-%: FILE = $*
-transp-%: gen-llbcp-% tfstarp-% tcoqp-% tleanp-%
+transp-%: gen-llbcp-% tfstarp-% tcoqp-% tleanp-% thol4p-%
echo "# Test $* done"
.PHONY: tfstar-%
@@ -243,8 +255,6 @@ tlean-%: BACKEND_SUBDIR := lean
tlean-%:
$(AENEAS_CMD)
-
-
# "p" stands for "Polonius"
.PHONY: tleanp-%
@@ -259,6 +269,17 @@ tleanp-%: BACKEND_SUBDIR := lean
tleanp-%:
$(AENEAS_CMD)
+.PHONY: thol4-%
+thol4-%: OPTIONS += -backend hol4 -test-trans-units
+thol4-%: BACKEND_SUBDIR := hol4
+thol4-%:
+ $(AENEAS_CMD)
+
+.PHONY: thol4p-%
+thol4p-%: OPTIONS += -backend hol4 -test-trans-units
+thol4p-%: BACKEND_SUBDIR := hol4
+thol4p-%:
+ $(AENEAS_CMD)
# Nix - TODO: add the lean tests
.PHONY: nix
diff --git a/tests/hol4/betree/Holmakefile b/tests/hol4/betree/Holmakefile
new file mode 100644
index 00000000..3c4b8973
--- /dev/null
+++ b/tests/hol4/betree/Holmakefile
@@ -0,0 +1,5 @@
+# This file was automatically generated - modify ../Holmakefile.template instead
+INCLUDES = ../../../backends/hol4
+
+all: $(DEFAULT_TARGETS)
+.PHONY: all
diff --git a/tests/hol4/betree/betreeMain_FunsScript.sml b/tests/hol4/betree/betreeMain_FunsScript.sml
new file mode 100644
index 00000000..df0c6a24
--- /dev/null
+++ b/tests/hol4/betree/betreeMain_FunsScript.sml
@@ -0,0 +1,1214 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [betree_main]: function definitions *)
+open primitivesLib divDefLib
+open betreeMain_TypesTheory betreeMain_OpaqueTheory
+
+val _ = new_theory "betreeMain_Funs"
+
+
+val betree_load_internal_node_fwd_def = Define ‘
+ (** [betree_main::betree::load_internal_node] *)
+ betree_load_internal_node_fwd
+ (id : u64) (st : state) :
+ (state # (u64 # betree_message_t) betree_list_t) result
+ =
+ betree_utils_load_internal_node_fwd id st
+’
+
+val betree_store_internal_node_fwd_def = Define ‘
+ (** [betree_main::betree::store_internal_node] *)
+ betree_store_internal_node_fwd
+ (id : u64) (content : (u64 # betree_message_t) betree_list_t) (st : state)
+ :
+ (state # unit) result
+ =
+ do
+ (st0, _) <- betree_utils_store_internal_node_fwd id content st;
+ Return (st0, ())
+ od
+’
+
+val betree_load_leaf_node_fwd_def = Define ‘
+ (** [betree_main::betree::load_leaf_node] *)
+ betree_load_leaf_node_fwd
+ (id : u64) (st : state) : (state # (u64 # u64) betree_list_t) result =
+ betree_utils_load_leaf_node_fwd id st
+’
+
+val betree_store_leaf_node_fwd_def = Define ‘
+ (** [betree_main::betree::store_leaf_node] *)
+ betree_store_leaf_node_fwd
+ (id : u64) (content : (u64 # u64) betree_list_t) (st : state) :
+ (state # unit) result
+ =
+ do
+ (st0, _) <- betree_utils_store_leaf_node_fwd id content st;
+ Return (st0, ())
+ od
+’
+
+val betree_fresh_node_id_fwd_def = Define ‘
+ (** [betree_main::betree::fresh_node_id] *)
+ betree_fresh_node_id_fwd (counter : u64) : u64 result =
+ do
+ _ <- u64_add counter (int_to_u64 1);
+ Return counter
+ od
+’
+
+val betree_fresh_node_id_back_def = Define ‘
+ (** [betree_main::betree::fresh_node_id] *)
+ betree_fresh_node_id_back (counter : u64) : u64 result =
+ u64_add counter (int_to_u64 1)
+’
+
+val betree_node_id_counter_new_fwd_def = Define ‘
+ (** [betree_main::betree::NodeIdCounter::{0}::new] *)
+ betree_node_id_counter_new_fwd : betree_node_id_counter_t result =
+ Return (<| betree_node_id_counter_next_node_id := (int_to_u64 0) |>)
+’
+
+val betree_node_id_counter_fresh_id_fwd_def = Define ‘
+ (** [betree_main::betree::NodeIdCounter::{0}::fresh_id] *)
+ betree_node_id_counter_fresh_id_fwd
+ (self : betree_node_id_counter_t) : u64 result =
+ do
+ _ <- u64_add self.betree_node_id_counter_next_node_id (int_to_u64 1);
+ Return self.betree_node_id_counter_next_node_id
+ od
+’
+
+val betree_node_id_counter_fresh_id_back_def = Define ‘
+ (** [betree_main::betree::NodeIdCounter::{0}::fresh_id] *)
+ betree_node_id_counter_fresh_id_back
+ (self : betree_node_id_counter_t) : betree_node_id_counter_t result =
+ do
+ i <- u64_add self.betree_node_id_counter_next_node_id (int_to_u64 1);
+ Return (<| betree_node_id_counter_next_node_id := i |>)
+ od
+’
+
+(** [core::num::u64::{10}::MAX] *)
+Definition core_num_u64_max_body_def:
+ core_num_u64_max_body : u64 result = Return (int_to_u64 18446744073709551615)
+End
+Definition core_num_u64_max_c_def:
+ core_num_u64_max_c : u64 = get_return_value core_num_u64_max_body
+End
+
+val betree_upsert_update_fwd_def = Define ‘
+ (** [betree_main::betree::upsert_update] *)
+ betree_upsert_update_fwd
+ (prev : u64 option) (st : betree_upsert_fun_state_t) : u64 result =
+ (case prev of
+ | NONE =>
+ (case st of
+ | BetreeUpsertFunStateAdd v => Return v
+ | BetreeUpsertFunStateSub i => Return (int_to_u64 0))
+ | SOME prev0 =>
+ (case st of
+ | BetreeUpsertFunStateAdd v =>
+ do
+ margin <- u64_sub core_num_u64_max_c prev0;
+ if u64_ge margin v then u64_add prev0 v else Return core_num_u64_max_c
+ od
+ | BetreeUpsertFunStateSub v =>
+ if u64_ge prev0 v then u64_sub prev0 v else Return (int_to_u64 0)))
+’
+
+val [betree_list_len_fwd_def] = DefineDiv ‘
+ (** [betree_main::betree::List::{1}::len] *)
+ betree_list_len_fwd (self : 't betree_list_t) : u64 result =
+ (case self of
+ | BetreeListCons t tl =>
+ do
+ i <- betree_list_len_fwd tl;
+ u64_add (int_to_u64 1) i
+ od
+ | BetreeListNil => Return (int_to_u64 0))
+’
+
+val [betree_list_split_at_fwd_def] = DefineDiv ‘
+ (** [betree_main::betree::List::{1}::split_at] *)
+ betree_list_split_at_fwd
+ (self : 't betree_list_t) (n : u64) :
+ ('t betree_list_t # 't betree_list_t) result
+ =
+ if n = int_to_u64 0
+ then Return (BetreeListNil, self)
+ else
+ (case self of
+ | BetreeListCons hd tl =>
+ do
+ i <- u64_sub n (int_to_u64 1);
+ p <- betree_list_split_at_fwd tl i;
+ let (ls0, ls1) = p in let l = ls0 in Return (BetreeListCons hd l, ls1)
+ od
+ | BetreeListNil => Fail Failure)
+’
+
+val betree_list_push_front_fwd_back_def = Define ‘
+ (** [betree_main::betree::List::{1}::push_front] *)
+ betree_list_push_front_fwd_back
+ (self : 't betree_list_t) (x : 't) : 't betree_list_t result =
+ let tl = mem_replace_fwd self BetreeListNil in
+ let l = tl in
+ Return (BetreeListCons x l)
+’
+
+val betree_list_pop_front_fwd_def = Define ‘
+ (** [betree_main::betree::List::{1}::pop_front] *)
+ betree_list_pop_front_fwd (self : 't betree_list_t) : 't result =
+ let ls = mem_replace_fwd self BetreeListNil in
+ (case ls of
+ | BetreeListCons x tl => Return x
+ | BetreeListNil => Fail Failure)
+’
+
+val betree_list_pop_front_back_def = Define ‘
+ (** [betree_main::betree::List::{1}::pop_front] *)
+ betree_list_pop_front_back
+ (self : 't betree_list_t) : 't betree_list_t result =
+ let ls = mem_replace_fwd self BetreeListNil in
+ (case ls of
+ | BetreeListCons x tl => Return tl
+ | BetreeListNil => Fail Failure)
+’
+
+val betree_list_hd_fwd_def = Define ‘
+ (** [betree_main::betree::List::{1}::hd] *)
+ betree_list_hd_fwd (self : 't betree_list_t) : 't result =
+ (case self of
+ | BetreeListCons hd l => Return hd
+ | BetreeListNil => Fail Failure)
+’
+
+val betree_list_head_has_key_fwd_def = Define ‘
+ (** [betree_main::betree::List::{2}::head_has_key] *)
+ betree_list_head_has_key_fwd
+ (self : (u64 # 't) betree_list_t) (key : u64) : bool result =
+ (case self of
+ | BetreeListCons hd l => let (i, _) = hd in Return (i = key)
+ | BetreeListNil => Return F)
+’
+
+val [betree_list_partition_at_pivot_fwd_def] = DefineDiv ‘
+ (** [betree_main::betree::List::{2}::partition_at_pivot] *)
+ betree_list_partition_at_pivot_fwd
+ (self : (u64 # 't) betree_list_t) (pivot : u64) :
+ ((u64 # 't) betree_list_t # (u64 # 't) betree_list_t) result
+ =
+ (case self of
+ | BetreeListCons hd tl =>
+ let (i, t) = hd in
+ if u64_ge i pivot
+ then Return (BetreeListNil, BetreeListCons (i, t) tl)
+ else (
+ do
+ p <- betree_list_partition_at_pivot_fwd tl pivot;
+ let (ls0, ls1) = p in
+ let l = ls0 in
+ Return (BetreeListCons (i, t) l, ls1)
+ od)
+ | BetreeListNil => Return (BetreeListNil, BetreeListNil))
+’
+
+val betree_leaf_split_fwd_def = Define ‘
+ (** [betree_main::betree::Leaf::{3}::split] *)
+ betree_leaf_split_fwd
+ (self : betree_leaf_t) (content : (u64 # u64) betree_list_t)
+ (params : betree_params_t) (node_id_cnt : betree_node_id_counter_t)
+ (st : state) :
+ (state # betree_internal_t) result
+ =
+ do
+ p <- betree_list_split_at_fwd content params.betree_params_split_size;
+ let (content0, content1) = p in
+ do
+ p0 <- betree_list_hd_fwd content1;
+ let (pivot, _) = p0 in
+ do
+ id0 <- betree_node_id_counter_fresh_id_fwd node_id_cnt;
+ node_id_cnt0 <- betree_node_id_counter_fresh_id_back node_id_cnt;
+ id1 <- betree_node_id_counter_fresh_id_fwd node_id_cnt0;
+ (st0, _) <- betree_store_leaf_node_fwd id0 content0 st;
+ (st1, _) <- betree_store_leaf_node_fwd id1 content1 st0;
+ let n = BetreeNodeLeaf
+ (<|
+ betree_leaf_id := id0;
+ betree_leaf_size := params.betree_params_split_size
+ |>) in
+ let n0 = BetreeNodeLeaf
+ (<|
+ betree_leaf_id := id1;
+ betree_leaf_size := params.betree_params_split_size
+ |>) in
+ Return (st1,
+ <|
+ betree_internal_id := self.betree_leaf_id;
+ betree_internal_pivot := pivot;
+ betree_internal_left := n;
+ betree_internal_right := n0
+ |>)
+ od
+ od
+ od
+’
+
+val betree_leaf_split_back_def = Define ‘
+ (** [betree_main::betree::Leaf::{3}::split] *)
+ betree_leaf_split_back
+ (self : betree_leaf_t) (content : (u64 # u64) betree_list_t)
+ (params : betree_params_t) (node_id_cnt : betree_node_id_counter_t)
+ (st : state) :
+ betree_node_id_counter_t result
+ =
+ do
+ p <- betree_list_split_at_fwd content params.betree_params_split_size;
+ let (content0, content1) = p in
+ do
+ _ <- betree_list_hd_fwd content1;
+ id0 <- betree_node_id_counter_fresh_id_fwd node_id_cnt;
+ node_id_cnt0 <- betree_node_id_counter_fresh_id_back node_id_cnt;
+ id1 <- betree_node_id_counter_fresh_id_fwd node_id_cnt0;
+ (st0, _) <- betree_store_leaf_node_fwd id0 content0 st;
+ _ <- betree_store_leaf_node_fwd id1 content1 st0;
+ betree_node_id_counter_fresh_id_back node_id_cnt0
+ od
+ od
+’
+
+val [betree_node_lookup_in_bindings_fwd_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::lookup_in_bindings] *)
+ betree_node_lookup_in_bindings_fwd
+ (key : u64) (bindings : (u64 # u64) betree_list_t) : u64 option result =
+ (case bindings of
+ | BetreeListCons hd tl =>
+ let (i, i0) = hd in
+ if i = key
+ then Return (SOME i0)
+ else
+ if u64_gt i key
+ then Return NONE
+ else betree_node_lookup_in_bindings_fwd key tl
+ | BetreeListNil => Return NONE)
+’
+
+val [betree_node_lookup_first_message_for_key_fwd_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::lookup_first_message_for_key] *)
+ betree_node_lookup_first_message_for_key_fwd
+ (key : u64) (msgs : (u64 # betree_message_t) betree_list_t) :
+ (u64 # betree_message_t) betree_list_t result
+ =
+ (case msgs of
+ | BetreeListCons x next_msgs =>
+ let (i, m) = x in
+ if u64_ge i key
+ then Return (BetreeListCons (i, m) next_msgs)
+ else betree_node_lookup_first_message_for_key_fwd key next_msgs
+ | BetreeListNil => Return BetreeListNil)
+’
+
+val [betree_node_lookup_first_message_for_key_back_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::lookup_first_message_for_key] *)
+ betree_node_lookup_first_message_for_key_back
+ (key : u64) (msgs : (u64 # betree_message_t) betree_list_t)
+ (ret : (u64 # betree_message_t) betree_list_t) :
+ (u64 # betree_message_t) betree_list_t result
+ =
+ (case msgs of
+ | BetreeListCons x next_msgs =>
+ let (i, m) = x in
+ if u64_ge i key
+ then Return ret
+ else (
+ do
+ next_msgs0 <-
+ betree_node_lookup_first_message_for_key_back key next_msgs ret;
+ Return (BetreeListCons (i, m) next_msgs0)
+ od)
+ | BetreeListNil => Return ret)
+’
+
+val [betree_node_apply_upserts_fwd_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::apply_upserts] *)
+ betree_node_apply_upserts_fwd
+ (msgs : (u64 # betree_message_t) betree_list_t) (prev : u64 option)
+ (key : u64) (st : state) :
+ (state # u64) result
+ =
+ do
+ b <- betree_list_head_has_key_fwd msgs key;
+ if b
+ then (
+ do
+ msg <- betree_list_pop_front_fwd msgs;
+ let (_, m) = msg in
+ (case m of
+ | BetreeMessageInsert i => Fail Failure
+ | BetreeMessageDelete => Fail Failure
+ | BetreeMessageUpsert s =>
+ do
+ v <- betree_upsert_update_fwd prev s;
+ msgs0 <- betree_list_pop_front_back msgs;
+ betree_node_apply_upserts_fwd msgs0 (SOME v) key st
+ od)
+ od)
+ else (
+ do
+ (st0, v) <- core_option_option_unwrap_fwd prev st;
+ _ <- betree_list_push_front_fwd_back msgs (key, BetreeMessageInsert v);
+ Return (st0, v)
+ od)
+ od
+’
+
+val [betree_node_apply_upserts_back_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::apply_upserts] *)
+ betree_node_apply_upserts_back
+ (msgs : (u64 # betree_message_t) betree_list_t) (prev : u64 option)
+ (key : u64) (st : state) :
+ (u64 # betree_message_t) betree_list_t result
+ =
+ do
+ b <- betree_list_head_has_key_fwd msgs key;
+ if b
+ then (
+ do
+ msg <- betree_list_pop_front_fwd msgs;
+ let (_, m) = msg in
+ (case m of
+ | BetreeMessageInsert i => Fail Failure
+ | BetreeMessageDelete => Fail Failure
+ | BetreeMessageUpsert s =>
+ do
+ v <- betree_upsert_update_fwd prev s;
+ msgs0 <- betree_list_pop_front_back msgs;
+ betree_node_apply_upserts_back msgs0 (SOME v) key st
+ od)
+ od)
+ else (
+ do
+ (_, v) <- core_option_option_unwrap_fwd prev st;
+ betree_list_push_front_fwd_back msgs (key, BetreeMessageInsert v)
+ od)
+ od
+’
+
+val [betree_node_lookup_fwd_def, betree_node_lookup_back_def, betree_internal_lookup_in_children_fwd_def, betree_internal_lookup_in_children_back_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::lookup] *)
+ (betree_node_lookup_fwd
+ (self : betree_node_t) (key : u64) (st : state) :
+ (state # u64 option) result
+ =
+ (case self of
+ | BetreeNodeInternal node =>
+ do
+ (st0, msgs) <- betree_load_internal_node_fwd node.betree_internal_id st;
+ pending <- betree_node_lookup_first_message_for_key_fwd key msgs;
+ (case pending of
+ | BetreeListCons p l =>
+ let (k, msg) = p in
+ if k <> key
+ then (
+ do
+ (st1, opt) <- betree_internal_lookup_in_children_fwd node key st0;
+ _ <-
+ betree_node_lookup_first_message_for_key_back key msgs
+ (BetreeListCons (k, msg) l);
+ Return (st1, opt)
+ od)
+ else
+ (case msg of
+ | BetreeMessageInsert v =>
+ do
+ _ <-
+ betree_node_lookup_first_message_for_key_back key msgs
+ (BetreeListCons (k, BetreeMessageInsert v) l);
+ Return (st0, SOME v)
+ od
+ | BetreeMessageDelete =>
+ do
+ _ <-
+ betree_node_lookup_first_message_for_key_back key msgs
+ (BetreeListCons (k, BetreeMessageDelete) l);
+ Return (st0, NONE)
+ od
+ | BetreeMessageUpsert ufs =>
+ do
+ (st1, v) <- betree_internal_lookup_in_children_fwd node key st0;
+ (st2, v0) <-
+ betree_node_apply_upserts_fwd (BetreeListCons (k,
+ BetreeMessageUpsert ufs) l) v key st1;
+ node0 <- betree_internal_lookup_in_children_back node key st0;
+ pending0 <-
+ betree_node_apply_upserts_back (BetreeListCons (k,
+ BetreeMessageUpsert ufs) l) v key st1;
+ msgs0 <-
+ betree_node_lookup_first_message_for_key_back key msgs pending0;
+ (st3, _) <-
+ betree_store_internal_node_fwd node0.betree_internal_id msgs0 st2;
+ Return (st3, SOME v0)
+ od)
+ | BetreeListNil =>
+ do
+ (st1, opt) <- betree_internal_lookup_in_children_fwd node key st0;
+ _ <-
+ betree_node_lookup_first_message_for_key_back key msgs BetreeListNil;
+ Return (st1, opt)
+ od)
+ od
+ | BetreeNodeLeaf node =>
+ do
+ (st0, bindings) <- betree_load_leaf_node_fwd node.betree_leaf_id st;
+ opt <- betree_node_lookup_in_bindings_fwd key bindings;
+ Return (st0, opt)
+ od))
+ /\
+
+ (** [betree_main::betree::Node::{5}::lookup] *)
+ (betree_node_lookup_back
+ (self : betree_node_t) (key : u64) (st : state) : betree_node_t result =
+ (case self of
+ | BetreeNodeInternal node =>
+ do
+ (st0, msgs) <- betree_load_internal_node_fwd node.betree_internal_id st;
+ pending <- betree_node_lookup_first_message_for_key_fwd key msgs;
+ (case pending of
+ | BetreeListCons p l =>
+ let (k, msg) = p in
+ if k <> key
+ then (
+ do
+ _ <-
+ betree_node_lookup_first_message_for_key_back key msgs
+ (BetreeListCons (k, msg) l);
+ node0 <- betree_internal_lookup_in_children_back node key st0;
+ Return (BetreeNodeInternal node0)
+ od)
+ else
+ (case msg of
+ | BetreeMessageInsert v =>
+ do
+ _ <-
+ betree_node_lookup_first_message_for_key_back key msgs
+ (BetreeListCons (k, BetreeMessageInsert v) l);
+ Return (BetreeNodeInternal node)
+ od
+ | BetreeMessageDelete =>
+ do
+ _ <-
+ betree_node_lookup_first_message_for_key_back key msgs
+ (BetreeListCons (k, BetreeMessageDelete) l);
+ Return (BetreeNodeInternal node)
+ od
+ | BetreeMessageUpsert ufs =>
+ do
+ (st1, v) <- betree_internal_lookup_in_children_fwd node key st0;
+ (st2, _) <-
+ betree_node_apply_upserts_fwd (BetreeListCons (k,
+ BetreeMessageUpsert ufs) l) v key st1;
+ node0 <- betree_internal_lookup_in_children_back node key st0;
+ pending0 <-
+ betree_node_apply_upserts_back (BetreeListCons (k,
+ BetreeMessageUpsert ufs) l) v key st1;
+ msgs0 <-
+ betree_node_lookup_first_message_for_key_back key msgs pending0;
+ _ <-
+ betree_store_internal_node_fwd node0.betree_internal_id msgs0 st2;
+ Return (BetreeNodeInternal node0)
+ od)
+ | BetreeListNil =>
+ do
+ _ <-
+ betree_node_lookup_first_message_for_key_back key msgs BetreeListNil;
+ node0 <- betree_internal_lookup_in_children_back node key st0;
+ Return (BetreeNodeInternal node0)
+ od)
+ od
+ | BetreeNodeLeaf node =>
+ do
+ (_, bindings) <- betree_load_leaf_node_fwd node.betree_leaf_id st;
+ _ <- betree_node_lookup_in_bindings_fwd key bindings;
+ Return (BetreeNodeLeaf node)
+ od))
+ /\
+
+ (** [betree_main::betree::Internal::{4}::lookup_in_children] *)
+ (betree_internal_lookup_in_children_fwd
+ (self : betree_internal_t) (key : u64) (st : state) :
+ (state # u64 option) result
+ =
+ if u64_lt key self.betree_internal_pivot
+ then betree_node_lookup_fwd self.betree_internal_left key st
+ else betree_node_lookup_fwd self.betree_internal_right key st)
+ /\
+
+ (** [betree_main::betree::Internal::{4}::lookup_in_children] *)
+ betree_internal_lookup_in_children_back
+ (self : betree_internal_t) (key : u64) (st : state) :
+ betree_internal_t result
+ =
+ if u64_lt key self.betree_internal_pivot
+ then (
+ do
+ n <- betree_node_lookup_back self.betree_internal_left key st;
+ Return (self with <| betree_internal_left := n |>)
+ od)
+ else (
+ do
+ n <- betree_node_lookup_back self.betree_internal_right key st;
+ Return (self with <| betree_internal_right := n |>)
+ od)
+’
+
+val [betree_node_lookup_mut_in_bindings_fwd_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::lookup_mut_in_bindings] *)
+ betree_node_lookup_mut_in_bindings_fwd
+ (key : u64) (bindings : (u64 # u64) betree_list_t) :
+ (u64 # u64) betree_list_t result
+ =
+ (case bindings of
+ | BetreeListCons hd tl =>
+ let (i, i0) = hd in
+ if u64_ge i key
+ then Return (BetreeListCons (i, i0) tl)
+ else betree_node_lookup_mut_in_bindings_fwd key tl
+ | BetreeListNil => Return BetreeListNil)
+’
+
+val [betree_node_lookup_mut_in_bindings_back_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::lookup_mut_in_bindings] *)
+ betree_node_lookup_mut_in_bindings_back
+ (key : u64) (bindings : (u64 # u64) betree_list_t)
+ (ret : (u64 # u64) betree_list_t) :
+ (u64 # u64) betree_list_t result
+ =
+ (case bindings of
+ | BetreeListCons hd tl =>
+ let (i, i0) = hd in
+ if u64_ge i key
+ then Return ret
+ else (
+ do
+ tl0 <- betree_node_lookup_mut_in_bindings_back key tl ret;
+ Return (BetreeListCons (i, i0) tl0)
+ od)
+ | BetreeListNil => Return ret)
+’
+
+val betree_node_apply_to_leaf_fwd_back_def = Define ‘
+ (** [betree_main::betree::Node::{5}::apply_to_leaf] *)
+ betree_node_apply_to_leaf_fwd_back
+ (bindings : (u64 # u64) betree_list_t) (key : u64)
+ (new_msg : betree_message_t) :
+ (u64 # u64) betree_list_t result
+ =
+ do
+ bindings0 <- betree_node_lookup_mut_in_bindings_fwd key bindings;
+ b <- betree_list_head_has_key_fwd bindings0 key;
+ if b
+ then (
+ do
+ hd <- betree_list_pop_front_fwd bindings0;
+ (case new_msg of
+ | BetreeMessageInsert v =>
+ do
+ bindings1 <- betree_list_pop_front_back bindings0;
+ bindings2 <- betree_list_push_front_fwd_back bindings1 (key, v);
+ betree_node_lookup_mut_in_bindings_back key bindings bindings2
+ od
+ | BetreeMessageDelete =>
+ do
+ bindings1 <- betree_list_pop_front_back bindings0;
+ betree_node_lookup_mut_in_bindings_back key bindings bindings1
+ od
+ | BetreeMessageUpsert s =>
+ let (_, i) = hd in
+ do
+ v <- betree_upsert_update_fwd (SOME i) s;
+ bindings1 <- betree_list_pop_front_back bindings0;
+ bindings2 <- betree_list_push_front_fwd_back bindings1 (key, v);
+ betree_node_lookup_mut_in_bindings_back key bindings bindings2
+ od)
+ od)
+ else
+ (case new_msg of
+ | BetreeMessageInsert v =>
+ do
+ bindings1 <- betree_list_push_front_fwd_back bindings0 (key, v);
+ betree_node_lookup_mut_in_bindings_back key bindings bindings1
+ od
+ | BetreeMessageDelete =>
+ betree_node_lookup_mut_in_bindings_back key bindings bindings0
+ | BetreeMessageUpsert s =>
+ do
+ v <- betree_upsert_update_fwd NONE s;
+ bindings1 <- betree_list_push_front_fwd_back bindings0 (key, v);
+ betree_node_lookup_mut_in_bindings_back key bindings bindings1
+ od)
+ od
+’
+
+val [betree_node_apply_messages_to_leaf_fwd_back_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::apply_messages_to_leaf] *)
+ betree_node_apply_messages_to_leaf_fwd_back
+ (bindings : (u64 # u64) betree_list_t)
+ (new_msgs : (u64 # betree_message_t) betree_list_t) :
+ (u64 # u64) betree_list_t result
+ =
+ (case new_msgs of
+ | BetreeListCons new_msg new_msgs_tl =>
+ let (i, m) = new_msg in
+ do
+ bindings0 <- betree_node_apply_to_leaf_fwd_back bindings i m;
+ betree_node_apply_messages_to_leaf_fwd_back bindings0 new_msgs_tl
+ od
+ | BetreeListNil => Return bindings)
+’
+
+val [betree_node_filter_messages_for_key_fwd_back_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::filter_messages_for_key] *)
+ betree_node_filter_messages_for_key_fwd_back
+ (key : u64) (msgs : (u64 # betree_message_t) betree_list_t) :
+ (u64 # betree_message_t) betree_list_t result
+ =
+ (case msgs of
+ | BetreeListCons p l =>
+ let (k, m) = p in
+ if k = key
+ then (
+ do
+ msgs0 <- betree_list_pop_front_back (BetreeListCons (k, m) l);
+ betree_node_filter_messages_for_key_fwd_back key msgs0
+ od)
+ else Return (BetreeListCons (k, m) l)
+ | BetreeListNil => Return BetreeListNil)
+’
+
+val [betree_node_lookup_first_message_after_key_fwd_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::lookup_first_message_after_key] *)
+ betree_node_lookup_first_message_after_key_fwd
+ (key : u64) (msgs : (u64 # betree_message_t) betree_list_t) :
+ (u64 # betree_message_t) betree_list_t result
+ =
+ (case msgs of
+ | BetreeListCons p next_msgs =>
+ let (k, m) = p in
+ if k = key
+ then betree_node_lookup_first_message_after_key_fwd key next_msgs
+ else Return (BetreeListCons (k, m) next_msgs)
+ | BetreeListNil => Return BetreeListNil)
+’
+
+val [betree_node_lookup_first_message_after_key_back_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::lookup_first_message_after_key] *)
+ betree_node_lookup_first_message_after_key_back
+ (key : u64) (msgs : (u64 # betree_message_t) betree_list_t)
+ (ret : (u64 # betree_message_t) betree_list_t) :
+ (u64 # betree_message_t) betree_list_t result
+ =
+ (case msgs of
+ | BetreeListCons p next_msgs =>
+ let (k, m) = p in
+ if k = key
+ then (
+ do
+ next_msgs0 <-
+ betree_node_lookup_first_message_after_key_back key next_msgs ret;
+ Return (BetreeListCons (k, m) next_msgs0)
+ od)
+ else Return ret
+ | BetreeListNil => Return ret)
+’
+
+val betree_node_apply_to_internal_fwd_back_def = Define ‘
+ (** [betree_main::betree::Node::{5}::apply_to_internal] *)
+ betree_node_apply_to_internal_fwd_back
+ (msgs : (u64 # betree_message_t) betree_list_t) (key : u64)
+ (new_msg : betree_message_t) :
+ (u64 # betree_message_t) betree_list_t result
+ =
+ do
+ msgs0 <- betree_node_lookup_first_message_for_key_fwd key msgs;
+ b <- betree_list_head_has_key_fwd msgs0 key;
+ if b
+ then
+ (case new_msg of
+ | BetreeMessageInsert i =>
+ do
+ msgs1 <- betree_node_filter_messages_for_key_fwd_back key msgs0;
+ msgs2 <-
+ betree_list_push_front_fwd_back msgs1 (key, BetreeMessageInsert i);
+ betree_node_lookup_first_message_for_key_back key msgs msgs2
+ od
+ | BetreeMessageDelete =>
+ do
+ msgs1 <- betree_node_filter_messages_for_key_fwd_back key msgs0;
+ msgs2 <-
+ betree_list_push_front_fwd_back msgs1 (key, BetreeMessageDelete);
+ betree_node_lookup_first_message_for_key_back key msgs msgs2
+ od
+ | BetreeMessageUpsert s =>
+ do
+ p <- betree_list_hd_fwd msgs0;
+ let (_, m) = p in
+ (case m of
+ | BetreeMessageInsert prev =>
+ do
+ v <- betree_upsert_update_fwd (SOME prev) s;
+ msgs1 <- betree_list_pop_front_back msgs0;
+ msgs2 <-
+ betree_list_push_front_fwd_back msgs1 (key, BetreeMessageInsert v);
+ betree_node_lookup_first_message_for_key_back key msgs msgs2
+ od
+ | BetreeMessageDelete =>
+ do
+ v <- betree_upsert_update_fwd NONE s;
+ msgs1 <- betree_list_pop_front_back msgs0;
+ msgs2 <-
+ betree_list_push_front_fwd_back msgs1 (key, BetreeMessageInsert v);
+ betree_node_lookup_first_message_for_key_back key msgs msgs2
+ od
+ | BetreeMessageUpsert ufs =>
+ do
+ msgs1 <- betree_node_lookup_first_message_after_key_fwd key msgs0;
+ msgs2 <-
+ betree_list_push_front_fwd_back msgs1 (key, BetreeMessageUpsert s);
+ msgs3 <-
+ betree_node_lookup_first_message_after_key_back key msgs0 msgs2;
+ betree_node_lookup_first_message_for_key_back key msgs msgs3
+ od)
+ od)
+ else (
+ do
+ msgs1 <- betree_list_push_front_fwd_back msgs0 (key, new_msg);
+ betree_node_lookup_first_message_for_key_back key msgs msgs1
+ od)
+ od
+’
+
+val [betree_node_apply_messages_to_internal_fwd_back_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::apply_messages_to_internal] *)
+ betree_node_apply_messages_to_internal_fwd_back
+ (msgs : (u64 # betree_message_t) betree_list_t)
+ (new_msgs : (u64 # betree_message_t) betree_list_t) :
+ (u64 # betree_message_t) betree_list_t result
+ =
+ (case new_msgs of
+ | BetreeListCons new_msg new_msgs_tl =>
+ let (i, m) = new_msg in
+ do
+ msgs0 <- betree_node_apply_to_internal_fwd_back msgs i m;
+ betree_node_apply_messages_to_internal_fwd_back msgs0 new_msgs_tl
+ od
+ | BetreeListNil => Return msgs)
+’
+
+val [betree_node_apply_messages_fwd_def, betree_node_apply_messages_back_def, betree_internal_flush_fwd_def, betree_internal_flush_back_def] = DefineDiv ‘
+ (** [betree_main::betree::Node::{5}::apply_messages] *)
+ (betree_node_apply_messages_fwd
+ (self : betree_node_t) (params : betree_params_t)
+ (node_id_cnt : betree_node_id_counter_t)
+ (msgs : (u64 # betree_message_t) betree_list_t) (st : state) :
+ (state # unit) result
+ =
+ (case self of
+ | BetreeNodeInternal node =>
+ do
+ (st0, content) <-
+ betree_load_internal_node_fwd node.betree_internal_id st;
+ content0 <- betree_node_apply_messages_to_internal_fwd_back content msgs;
+ num_msgs <- betree_list_len_fwd content0;
+ if u64_ge num_msgs params.betree_params_min_flush_size
+ then (
+ do
+ (st1, content1) <-
+ betree_internal_flush_fwd node params node_id_cnt content0 st0;
+ (node0, _) <-
+ betree_internal_flush_back node params node_id_cnt content0 st0;
+ (st2, _) <-
+ betree_store_internal_node_fwd node0.betree_internal_id content1 st1;
+ Return (st2, ())
+ od)
+ else (
+ do
+ (st1, _) <-
+ betree_store_internal_node_fwd node.betree_internal_id content0 st0;
+ Return (st1, ())
+ od)
+ od
+ | BetreeNodeLeaf node =>
+ do
+ (st0, content) <- betree_load_leaf_node_fwd node.betree_leaf_id st;
+ content0 <- betree_node_apply_messages_to_leaf_fwd_back content msgs;
+ len <- betree_list_len_fwd content0;
+ i <- u64_mul (int_to_u64 2) params.betree_params_split_size;
+ if u64_ge len i
+ then (
+ do
+ (st1, _) <- betree_leaf_split_fwd node content0 params node_id_cnt st0;
+ (st2, _) <-
+ betree_store_leaf_node_fwd node.betree_leaf_id BetreeListNil st1;
+ Return (st2, ())
+ od)
+ else (
+ do
+ (st1, _) <-
+ betree_store_leaf_node_fwd node.betree_leaf_id content0 st0;
+ Return (st1, ())
+ od)
+ od))
+ /\
+
+ (** [betree_main::betree::Node::{5}::apply_messages] *)
+ (betree_node_apply_messages_back
+ (self : betree_node_t) (params : betree_params_t)
+ (node_id_cnt : betree_node_id_counter_t)
+ (msgs : (u64 # betree_message_t) betree_list_t) (st : state) :
+ (betree_node_t # betree_node_id_counter_t) result
+ =
+ (case self of
+ | BetreeNodeInternal node =>
+ do
+ (st0, content) <-
+ betree_load_internal_node_fwd node.betree_internal_id st;
+ content0 <- betree_node_apply_messages_to_internal_fwd_back content msgs;
+ num_msgs <- betree_list_len_fwd content0;
+ if u64_ge num_msgs params.betree_params_min_flush_size
+ then (
+ do
+ (st1, content1) <-
+ betree_internal_flush_fwd node params node_id_cnt content0 st0;
+ (node0, node_id_cnt0) <-
+ betree_internal_flush_back node params node_id_cnt content0 st0;
+ _ <-
+ betree_store_internal_node_fwd node0.betree_internal_id content1 st1;
+ Return (BetreeNodeInternal node0, node_id_cnt0)
+ od)
+ else (
+ do
+ _ <-
+ betree_store_internal_node_fwd node.betree_internal_id content0 st0;
+ Return (BetreeNodeInternal node, node_id_cnt)
+ od)
+ od
+ | BetreeNodeLeaf node =>
+ do
+ (st0, content) <- betree_load_leaf_node_fwd node.betree_leaf_id st;
+ content0 <- betree_node_apply_messages_to_leaf_fwd_back content msgs;
+ len <- betree_list_len_fwd content0;
+ i <- u64_mul (int_to_u64 2) params.betree_params_split_size;
+ if u64_ge len i
+ then (
+ do
+ (st1, new_node) <-
+ betree_leaf_split_fwd node content0 params node_id_cnt st0;
+ _ <- betree_store_leaf_node_fwd node.betree_leaf_id BetreeListNil st1;
+ node_id_cnt0 <-
+ betree_leaf_split_back node content0 params node_id_cnt st0;
+ Return (BetreeNodeInternal new_node, node_id_cnt0)
+ od)
+ else (
+ do
+ _ <- betree_store_leaf_node_fwd node.betree_leaf_id content0 st0;
+ Return (BetreeNodeLeaf (node with <| betree_leaf_size := len |>),
+ node_id_cnt)
+ od)
+ od))
+ /\
+
+ (** [betree_main::betree::Internal::{4}::flush] *)
+ (betree_internal_flush_fwd
+ (self : betree_internal_t) (params : betree_params_t)
+ (node_id_cnt : betree_node_id_counter_t)
+ (content : (u64 # betree_message_t) betree_list_t) (st : state) :
+ (state # (u64 # betree_message_t) betree_list_t) result
+ =
+ do
+ p <- betree_list_partition_at_pivot_fwd content self.betree_internal_pivot;
+ let (msgs_left, msgs_right) = p in
+ do
+ len_left <- betree_list_len_fwd msgs_left;
+ if u64_ge len_left params.betree_params_min_flush_size
+ then (
+ do
+ (st0, _) <-
+ betree_node_apply_messages_fwd self.betree_internal_left params
+ node_id_cnt msgs_left st;
+ (_, node_id_cnt0) <-
+ betree_node_apply_messages_back self.betree_internal_left params
+ node_id_cnt msgs_left st;
+ len_right <- betree_list_len_fwd msgs_right;
+ if u64_ge len_right params.betree_params_min_flush_size
+ then (
+ do
+ (st1, _) <-
+ betree_node_apply_messages_fwd self.betree_internal_right params
+ node_id_cnt0 msgs_right st0;
+ _ <-
+ betree_node_apply_messages_back self.betree_internal_right params
+ node_id_cnt0 msgs_right st0;
+ Return (st1, BetreeListNil)
+ od)
+ else Return (st0, msgs_right)
+ od)
+ else (
+ do
+ (st0, _) <-
+ betree_node_apply_messages_fwd self.betree_internal_right params
+ node_id_cnt msgs_right st;
+ _ <-
+ betree_node_apply_messages_back self.betree_internal_right params
+ node_id_cnt msgs_right st;
+ Return (st0, msgs_left)
+ od)
+ od
+ od)
+ /\
+
+ (** [betree_main::betree::Internal::{4}::flush] *)
+ betree_internal_flush_back
+ (self : betree_internal_t) (params : betree_params_t)
+ (node_id_cnt : betree_node_id_counter_t)
+ (content : (u64 # betree_message_t) betree_list_t) (st : state) :
+ (betree_internal_t # betree_node_id_counter_t) result
+ =
+ do
+ p <- betree_list_partition_at_pivot_fwd content self.betree_internal_pivot;
+ let (msgs_left, msgs_right) = p in
+ do
+ len_left <- betree_list_len_fwd msgs_left;
+ if u64_ge len_left params.betree_params_min_flush_size
+ then (
+ do
+ (st0, _) <-
+ betree_node_apply_messages_fwd self.betree_internal_left params
+ node_id_cnt msgs_left st;
+ (n, node_id_cnt0) <-
+ betree_node_apply_messages_back self.betree_internal_left params
+ node_id_cnt msgs_left st;
+ len_right <- betree_list_len_fwd msgs_right;
+ if u64_ge len_right params.betree_params_min_flush_size
+ then (
+ do
+ (n0, node_id_cnt1) <-
+ betree_node_apply_messages_back self.betree_internal_right params
+ node_id_cnt0 msgs_right st0;
+ Return
+ (self
+ with
+ <|
+ betree_internal_left := n; betree_internal_right := n0
+ |>, node_id_cnt1)
+ od)
+ else Return (self with <| betree_internal_left := n |>, node_id_cnt0)
+ od)
+ else (
+ do
+ (n, node_id_cnt0) <-
+ betree_node_apply_messages_back self.betree_internal_right params
+ node_id_cnt msgs_right st;
+ Return (self with <| betree_internal_right := n |>, node_id_cnt0)
+ od)
+ od
+ od
+’
+
+val betree_node_apply_fwd_def = Define ‘
+ (** [betree_main::betree::Node::{5}::apply] *)
+ betree_node_apply_fwd
+ (self : betree_node_t) (params : betree_params_t)
+ (node_id_cnt : betree_node_id_counter_t) (key : u64)
+ (new_msg : betree_message_t) (st : state) :
+ (state # unit) result
+ =
+ let l = BetreeListNil in
+ do
+ (st0, _) <-
+ betree_node_apply_messages_fwd self params node_id_cnt (BetreeListCons
+ (key, new_msg) l) st;
+ _ <-
+ betree_node_apply_messages_back self params node_id_cnt (BetreeListCons
+ (key, new_msg) l) st;
+ Return (st0, ())
+ od
+’
+
+val betree_node_apply_back_def = Define ‘
+ (** [betree_main::betree::Node::{5}::apply] *)
+ betree_node_apply_back
+ (self : betree_node_t) (params : betree_params_t)
+ (node_id_cnt : betree_node_id_counter_t) (key : u64)
+ (new_msg : betree_message_t) (st : state) :
+ (betree_node_t # betree_node_id_counter_t) result
+ =
+ let l = BetreeListNil in
+ betree_node_apply_messages_back self params node_id_cnt (BetreeListCons
+ (key, new_msg) l) st
+’
+
+val betree_be_tree_new_fwd_def = Define ‘
+ (** [betree_main::betree::BeTree::{6}::new] *)
+ betree_be_tree_new_fwd
+ (min_flush_size : u64) (split_size : u64) (st : state) :
+ (state # betree_be_tree_t) result
+ =
+ do
+ node_id_cnt <- betree_node_id_counter_new_fwd;
+ id <- betree_node_id_counter_fresh_id_fwd node_id_cnt;
+ (st0, _) <- betree_store_leaf_node_fwd id BetreeListNil st;
+ node_id_cnt0 <- betree_node_id_counter_fresh_id_back node_id_cnt;
+ Return (st0,
+ <|
+ betree_be_tree_params :=
+ (<|
+ betree_params_min_flush_size := min_flush_size;
+ betree_params_split_size := split_size
+ |>);
+ betree_be_tree_node_id_cnt := node_id_cnt0;
+ betree_be_tree_root :=
+ (BetreeNodeLeaf
+ (<| betree_leaf_id := id; betree_leaf_size := (int_to_u64 0) |>))
+ |>)
+ od
+’
+
+val betree_be_tree_apply_fwd_def = Define ‘
+ (** [betree_main::betree::BeTree::{6}::apply] *)
+ betree_be_tree_apply_fwd
+ (self : betree_be_tree_t) (key : u64) (msg : betree_message_t) (st : state)
+ :
+ (state # unit) result
+ =
+ do
+ (st0, _) <-
+ betree_node_apply_fwd self.betree_be_tree_root self.betree_be_tree_params
+ self.betree_be_tree_node_id_cnt key msg st;
+ _ <-
+ betree_node_apply_back self.betree_be_tree_root
+ self.betree_be_tree_params self.betree_be_tree_node_id_cnt key msg st;
+ Return (st0, ())
+ od
+’
+
+val betree_be_tree_apply_back_def = Define ‘
+ (** [betree_main::betree::BeTree::{6}::apply] *)
+ betree_be_tree_apply_back
+ (self : betree_be_tree_t) (key : u64) (msg : betree_message_t) (st : state)
+ :
+ betree_be_tree_t result
+ =
+ do
+ (n, nic) <-
+ betree_node_apply_back self.betree_be_tree_root
+ self.betree_be_tree_params self.betree_be_tree_node_id_cnt key msg st;
+ Return
+ (self
+ with
+ <|
+ betree_be_tree_node_id_cnt := nic; betree_be_tree_root := n
+ |>)
+ od
+’
+
+val betree_be_tree_insert_fwd_def = Define ‘
+ (** [betree_main::betree::BeTree::{6}::insert] *)
+ betree_be_tree_insert_fwd
+ (self : betree_be_tree_t) (key : u64) (value : u64) (st : state) :
+ (state # unit) result
+ =
+ do
+ (st0, _) <-
+ betree_be_tree_apply_fwd self key (BetreeMessageInsert value) st;
+ _ <- betree_be_tree_apply_back self key (BetreeMessageInsert value) st;
+ Return (st0, ())
+ od
+’
+
+val betree_be_tree_insert_back_def = Define ‘
+ (** [betree_main::betree::BeTree::{6}::insert] *)
+ betree_be_tree_insert_back
+ (self : betree_be_tree_t) (key : u64) (value : u64) (st : state) :
+ betree_be_tree_t result
+ =
+ betree_be_tree_apply_back self key (BetreeMessageInsert value) st
+’
+
+val betree_be_tree_delete_fwd_def = Define ‘
+ (** [betree_main::betree::BeTree::{6}::delete] *)
+ betree_be_tree_delete_fwd
+ (self : betree_be_tree_t) (key : u64) (st : state) :
+ (state # unit) result
+ =
+ do
+ (st0, _) <- betree_be_tree_apply_fwd self key BetreeMessageDelete st;
+ _ <- betree_be_tree_apply_back self key BetreeMessageDelete st;
+ Return (st0, ())
+ od
+’
+
+val betree_be_tree_delete_back_def = Define ‘
+ (** [betree_main::betree::BeTree::{6}::delete] *)
+ betree_be_tree_delete_back
+ (self : betree_be_tree_t) (key : u64) (st : state) :
+ betree_be_tree_t result
+ =
+ betree_be_tree_apply_back self key BetreeMessageDelete st
+’
+
+val betree_be_tree_upsert_fwd_def = Define ‘
+ (** [betree_main::betree::BeTree::{6}::upsert] *)
+ betree_be_tree_upsert_fwd
+ (self : betree_be_tree_t) (key : u64) (upd : betree_upsert_fun_state_t)
+ (st : state) :
+ (state # unit) result
+ =
+ do
+ (st0, _) <- betree_be_tree_apply_fwd self key (BetreeMessageUpsert upd) st;
+ _ <- betree_be_tree_apply_back self key (BetreeMessageUpsert upd) st;
+ Return (st0, ())
+ od
+’
+
+val betree_be_tree_upsert_back_def = Define ‘
+ (** [betree_main::betree::BeTree::{6}::upsert] *)
+ betree_be_tree_upsert_back
+ (self : betree_be_tree_t) (key : u64) (upd : betree_upsert_fun_state_t)
+ (st : state) :
+ betree_be_tree_t result
+ =
+ betree_be_tree_apply_back self key (BetreeMessageUpsert upd) st
+’
+
+val betree_be_tree_lookup_fwd_def = Define ‘
+ (** [betree_main::betree::BeTree::{6}::lookup] *)
+ betree_be_tree_lookup_fwd
+ (self : betree_be_tree_t) (key : u64) (st : state) :
+ (state # u64 option) result
+ =
+ betree_node_lookup_fwd self.betree_be_tree_root key st
+’
+
+val betree_be_tree_lookup_back_def = Define ‘
+ (** [betree_main::betree::BeTree::{6}::lookup] *)
+ betree_be_tree_lookup_back
+ (self : betree_be_tree_t) (key : u64) (st : state) :
+ betree_be_tree_t result
+ =
+ do
+ n <- betree_node_lookup_back self.betree_be_tree_root key st;
+ Return (self with <| betree_be_tree_root := n |>)
+ od
+’
+
+val main_fwd_def = Define ‘
+ (** [betree_main::main] *)
+ main_fwd : unit result =
+ Return ()
+’
+
+(** Unit test for [betree_main::main] *)
+val _ = assert_return (“main_fwd”)
+
+val _ = export_theory ()
diff --git a/tests/hol4/betree/betreeMain_FunsTheory.sig b/tests/hol4/betree/betreeMain_FunsTheory.sig
new file mode 100644
index 00000000..6c249f70
--- /dev/null
+++ b/tests/hol4/betree/betreeMain_FunsTheory.sig
@@ -0,0 +1,1240 @@
+signature betreeMain_FunsTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val betree_be_tree_apply_back_def : thm
+ val betree_be_tree_apply_fwd_def : thm
+ val betree_be_tree_delete_back_def : thm
+ val betree_be_tree_delete_fwd_def : thm
+ val betree_be_tree_insert_back_def : thm
+ val betree_be_tree_insert_fwd_def : thm
+ val betree_be_tree_lookup_back_def : thm
+ val betree_be_tree_lookup_fwd_def : thm
+ val betree_be_tree_new_fwd_def : thm
+ val betree_be_tree_upsert_back_def : thm
+ val betree_be_tree_upsert_fwd_def : thm
+ val betree_fresh_node_id_back_def : thm
+ val betree_fresh_node_id_fwd_def : thm
+ val betree_internal_flush_back_def : thm
+ val betree_internal_flush_fwd_def : thm
+ val betree_internal_lookup_in_children_back_def : thm
+ val betree_internal_lookup_in_children_fwd_def : thm
+ val betree_leaf_split_back_def : thm
+ val betree_leaf_split_fwd_def : thm
+ val betree_list_hd_fwd_def : thm
+ val betree_list_head_has_key_fwd_def : thm
+ val betree_list_len_fwd_def : thm
+ val betree_list_partition_at_pivot_fwd_def : thm
+ val betree_list_pop_front_back_def : thm
+ val betree_list_pop_front_fwd_def : thm
+ val betree_list_push_front_fwd_back_def : thm
+ val betree_list_split_at_fwd_def : thm
+ val betree_load_internal_node_fwd_def : thm
+ val betree_load_leaf_node_fwd_def : thm
+ val betree_node_apply_back_def : thm
+ val betree_node_apply_fwd_def : thm
+ val betree_node_apply_messages_back_def : thm
+ val betree_node_apply_messages_fwd_def : thm
+ val betree_node_apply_messages_to_internal_fwd_back_def : thm
+ val betree_node_apply_messages_to_leaf_fwd_back_def : thm
+ val betree_node_apply_to_internal_fwd_back_def : thm
+ val betree_node_apply_to_leaf_fwd_back_def : thm
+ val betree_node_apply_upserts_back_def : thm
+ val betree_node_apply_upserts_fwd_def : thm
+ val betree_node_filter_messages_for_key_fwd_back_def : thm
+ val betree_node_id_counter_fresh_id_back_def : thm
+ val betree_node_id_counter_fresh_id_fwd_def : thm
+ val betree_node_id_counter_new_fwd_def : thm
+ val betree_node_lookup_back_def : thm
+ val betree_node_lookup_first_message_after_key_back_def : thm
+ val betree_node_lookup_first_message_after_key_fwd_def : thm
+ val betree_node_lookup_first_message_for_key_back_def : thm
+ val betree_node_lookup_first_message_for_key_fwd_def : thm
+ val betree_node_lookup_fwd_def : thm
+ val betree_node_lookup_in_bindings_fwd_def : thm
+ val betree_node_lookup_mut_in_bindings_back_def : thm
+ val betree_node_lookup_mut_in_bindings_fwd_def : thm
+ val betree_store_internal_node_fwd_def : thm
+ val betree_store_leaf_node_fwd_def : thm
+ val betree_upsert_update_fwd_def : thm
+ val core_num_u64_max_body_def : thm
+ val core_num_u64_max_c_def : thm
+ val main_fwd_def : thm
+
+ val betreeMain_Funs_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [betreeMain_Opaque] Parent theory of "betreeMain_Funs"
+
+ [betree_be_tree_apply_back_def] Definition
+
+ ⊢ ∀self key msg st.
+ betree_be_tree_apply_back self key msg st =
+ do
+ (n,nic) <-
+ betree_node_apply_back self.betree_be_tree_root
+ self.betree_be_tree_params self.betree_be_tree_node_id_cnt
+ key msg st;
+ Return
+ (self with
+ <|betree_be_tree_node_id_cnt := nic;
+ betree_be_tree_root := n|>)
+ od
+
+ [betree_be_tree_apply_fwd_def] Definition
+
+ ⊢ ∀self key msg st.
+ betree_be_tree_apply_fwd self key msg st =
+ do
+ (st0,_) <-
+ betree_node_apply_fwd self.betree_be_tree_root
+ self.betree_be_tree_params self.betree_be_tree_node_id_cnt
+ key msg st;
+ monad_ignore_bind
+ (betree_node_apply_back self.betree_be_tree_root
+ self.betree_be_tree_params self.betree_be_tree_node_id_cnt
+ key msg st) (Return (st0,()))
+ od
+
+ [betree_be_tree_delete_back_def] Definition
+
+ ⊢ ∀self key st.
+ betree_be_tree_delete_back self key st =
+ betree_be_tree_apply_back self key BetreeMessageDelete st
+
+ [betree_be_tree_delete_fwd_def] Definition
+
+ ⊢ ∀self key st.
+ betree_be_tree_delete_fwd self key st =
+ do
+ (st0,_) <-
+ betree_be_tree_apply_fwd self key BetreeMessageDelete st;
+ monad_ignore_bind
+ (betree_be_tree_apply_back self key BetreeMessageDelete st)
+ (Return (st0,()))
+ od
+
+ [betree_be_tree_insert_back_def] Definition
+
+ ⊢ ∀self key value st.
+ betree_be_tree_insert_back self key value st =
+ betree_be_tree_apply_back self key (BetreeMessageInsert value) st
+
+ [betree_be_tree_insert_fwd_def] Definition
+
+ ⊢ ∀self key value st.
+ betree_be_tree_insert_fwd self key value st =
+ do
+ (st0,_) <-
+ betree_be_tree_apply_fwd self key (BetreeMessageInsert value)
+ st;
+ monad_ignore_bind
+ (betree_be_tree_apply_back self key
+ (BetreeMessageInsert value) st) (Return (st0,()))
+ od
+
+ [betree_be_tree_lookup_back_def] Definition
+
+ ⊢ ∀self key st.
+ betree_be_tree_lookup_back self key st =
+ do
+ n <- betree_node_lookup_back self.betree_be_tree_root key st;
+ Return (self with betree_be_tree_root := n)
+ od
+
+ [betree_be_tree_lookup_fwd_def] Definition
+
+ ⊢ ∀self key st.
+ betree_be_tree_lookup_fwd self key st =
+ betree_node_lookup_fwd self.betree_be_tree_root key st
+
+ [betree_be_tree_new_fwd_def] Definition
+
+ ⊢ ∀min_flush_size split_size st.
+ betree_be_tree_new_fwd min_flush_size split_size st =
+ do
+ node_id_cnt <- betree_node_id_counter_new_fwd;
+ id <- betree_node_id_counter_fresh_id_fwd node_id_cnt;
+ (st0,_) <- betree_store_leaf_node_fwd id BetreeListNil st;
+ node_id_cnt0 <-
+ betree_node_id_counter_fresh_id_back node_id_cnt;
+ Return
+ (st0,
+ <|betree_be_tree_params :=
+ <|betree_params_min_flush_size := min_flush_size;
+ betree_params_split_size := split_size|>;
+ betree_be_tree_node_id_cnt := node_id_cnt0;
+ betree_be_tree_root :=
+ BetreeNodeLeaf
+ <|betree_leaf_id := id;
+ betree_leaf_size := int_to_u64 0|> |>)
+ od
+
+ [betree_be_tree_upsert_back_def] Definition
+
+ ⊢ ∀self key upd st.
+ betree_be_tree_upsert_back self key upd st =
+ betree_be_tree_apply_back self key (BetreeMessageUpsert upd) st
+
+ [betree_be_tree_upsert_fwd_def] Definition
+
+ ⊢ ∀self key upd st.
+ betree_be_tree_upsert_fwd self key upd st =
+ do
+ (st0,_) <-
+ betree_be_tree_apply_fwd self key (BetreeMessageUpsert upd)
+ st;
+ monad_ignore_bind
+ (betree_be_tree_apply_back self key (BetreeMessageUpsert upd)
+ st) (Return (st0,()))
+ od
+
+ [betree_fresh_node_id_back_def] Definition
+
+ ⊢ ∀counter.
+ betree_fresh_node_id_back counter =
+ u64_add counter (int_to_u64 1)
+
+ [betree_fresh_node_id_fwd_def] Definition
+
+ ⊢ ∀counter.
+ betree_fresh_node_id_fwd counter =
+ monad_ignore_bind (u64_add counter (int_to_u64 1))
+ (Return counter)
+
+ [betree_internal_flush_back_def] Definition
+
+ ⊢ ∀self params node_id_cnt content st.
+ betree_internal_flush_back self params node_id_cnt content st =
+ do
+ p <-
+ betree_list_partition_at_pivot_fwd content
+ self.betree_internal_pivot;
+ (msgs_left,msgs_right) <<- p;
+ len_left <- betree_list_len_fwd msgs_left;
+ if u64_ge len_left params.betree_params_min_flush_size then
+ do
+ (st0,_) <-
+ betree_node_apply_messages_fwd self.betree_internal_left
+ params node_id_cnt msgs_left st;
+ (n,node_id_cnt0) <-
+ betree_node_apply_messages_back self.betree_internal_left
+ params node_id_cnt msgs_left st;
+ len_right <- betree_list_len_fwd msgs_right;
+ if
+ u64_ge len_right params.betree_params_min_flush_size
+ then
+ do
+ (n0,node_id_cnt1) <-
+ betree_node_apply_messages_back
+ self.betree_internal_right params node_id_cnt0
+ msgs_right st0;
+ Return
+ (self with
+ <|betree_internal_left := n;
+ betree_internal_right := n0|>,node_id_cnt1)
+ od
+ else
+ Return (self with betree_internal_left := n,node_id_cnt0)
+ od
+ else
+ do
+ (n,node_id_cnt0) <-
+ betree_node_apply_messages_back
+ self.betree_internal_right params node_id_cnt
+ msgs_right st;
+ Return (self with betree_internal_right := n,node_id_cnt0)
+ od
+ od
+
+ [betree_internal_flush_fwd_def] Definition
+
+ ⊢ ∀self params node_id_cnt content st.
+ betree_internal_flush_fwd self params node_id_cnt content st =
+ do
+ p <-
+ betree_list_partition_at_pivot_fwd content
+ self.betree_internal_pivot;
+ (msgs_left,msgs_right) <<- p;
+ len_left <- betree_list_len_fwd msgs_left;
+ if u64_ge len_left params.betree_params_min_flush_size then
+ do
+ (st0,_) <-
+ betree_node_apply_messages_fwd self.betree_internal_left
+ params node_id_cnt msgs_left st;
+ (_,node_id_cnt0) <-
+ betree_node_apply_messages_back self.betree_internal_left
+ params node_id_cnt msgs_left st;
+ len_right <- betree_list_len_fwd msgs_right;
+ if
+ u64_ge len_right params.betree_params_min_flush_size
+ then
+ do
+ (st1,_) <-
+ betree_node_apply_messages_fwd
+ self.betree_internal_right params node_id_cnt0
+ msgs_right st0;
+ monad_ignore_bind
+ (betree_node_apply_messages_back
+ self.betree_internal_right params node_id_cnt0
+ msgs_right st0) (Return (st1,BetreeListNil))
+ od
+ else Return (st0,msgs_right)
+ od
+ else
+ do
+ (st0,_) <-
+ betree_node_apply_messages_fwd self.betree_internal_right
+ params node_id_cnt msgs_right st;
+ monad_ignore_bind
+ (betree_node_apply_messages_back
+ self.betree_internal_right params node_id_cnt
+ msgs_right st) (Return (st0,msgs_left))
+ od
+ od
+
+ [betree_internal_lookup_in_children_back_def] Definition
+
+ ⊢ ∀self key st.
+ betree_internal_lookup_in_children_back self key st =
+ if u64_lt key self.betree_internal_pivot then
+ do
+ n <- betree_node_lookup_back self.betree_internal_left key st;
+ Return (self with betree_internal_left := n)
+ od
+ else
+ do
+ n <-
+ betree_node_lookup_back self.betree_internal_right key st;
+ Return (self with betree_internal_right := n)
+ od
+
+ [betree_internal_lookup_in_children_fwd_def] Definition
+
+ ⊢ ∀self key st.
+ betree_internal_lookup_in_children_fwd self key st =
+ if u64_lt key self.betree_internal_pivot then
+ betree_node_lookup_fwd self.betree_internal_left key st
+ else betree_node_lookup_fwd self.betree_internal_right key st
+
+ [betree_leaf_split_back_def] Definition
+
+ ⊢ ∀self content params node_id_cnt st.
+ betree_leaf_split_back self content params node_id_cnt st =
+ do
+ p <-
+ betree_list_split_at_fwd content
+ params.betree_params_split_size;
+ (content0,content1) <<- p;
+ monad_ignore_bind (betree_list_hd_fwd content1)
+ do
+ id0 <- betree_node_id_counter_fresh_id_fwd node_id_cnt;
+ node_id_cnt0 <-
+ betree_node_id_counter_fresh_id_back node_id_cnt;
+ id1 <- betree_node_id_counter_fresh_id_fwd node_id_cnt0;
+ (st0,_) <- betree_store_leaf_node_fwd id0 content0 st;
+ monad_ignore_bind
+ (betree_store_leaf_node_fwd id1 content1 st0)
+ (betree_node_id_counter_fresh_id_back node_id_cnt0)
+ od
+ od
+
+ [betree_leaf_split_fwd_def] Definition
+
+ ⊢ ∀self content params node_id_cnt st.
+ betree_leaf_split_fwd self content params node_id_cnt st =
+ do
+ p <-
+ betree_list_split_at_fwd content
+ params.betree_params_split_size;
+ (content0,content1) <<- p;
+ p0 <- betree_list_hd_fwd content1;
+ (pivot,_) <<- p0;
+ id0 <- betree_node_id_counter_fresh_id_fwd node_id_cnt;
+ node_id_cnt0 <-
+ betree_node_id_counter_fresh_id_back node_id_cnt;
+ id1 <- betree_node_id_counter_fresh_id_fwd node_id_cnt0;
+ (st0,_) <- betree_store_leaf_node_fwd id0 content0 st;
+ (st1,_) <- betree_store_leaf_node_fwd id1 content1 st0;
+ n <<-
+ BetreeNodeLeaf
+ <|betree_leaf_id := id0;
+ betree_leaf_size := params.betree_params_split_size|>;
+ n0 <<-
+ BetreeNodeLeaf
+ <|betree_leaf_id := id1;
+ betree_leaf_size := params.betree_params_split_size|>;
+ Return
+ (st1,
+ <|betree_internal_id := self.betree_leaf_id;
+ betree_internal_pivot := pivot; betree_internal_left := n;
+ betree_internal_right := n0|>)
+ od
+
+ [betree_list_hd_fwd_def] Definition
+
+ ⊢ ∀self.
+ betree_list_hd_fwd self =
+ case self of
+ BetreeListCons hd l => Return hd
+ | BetreeListNil => Fail Failure
+
+ [betree_list_head_has_key_fwd_def] Definition
+
+ ⊢ ∀self key.
+ betree_list_head_has_key_fwd self key =
+ case self of
+ BetreeListCons hd l => (let (i,_) = hd in Return (i = key))
+ | BetreeListNil => Return F
+
+ [betree_list_len_fwd_def] Definition
+
+ ⊢ ∀self.
+ betree_list_len_fwd self =
+ case self of
+ BetreeListCons t tl =>
+ do i <- betree_list_len_fwd tl; u64_add (int_to_u64 1) i od
+ | BetreeListNil => Return (int_to_u64 0)
+
+ [betree_list_partition_at_pivot_fwd_def] Definition
+
+ ⊢ ∀self pivot.
+ betree_list_partition_at_pivot_fwd self pivot =
+ case self of
+ BetreeListCons hd tl =>
+ (let
+ (i,t) = hd
+ in
+ if u64_ge i pivot then
+ Return (BetreeListNil,BetreeListCons (i,t) tl)
+ else
+ do
+ p <- betree_list_partition_at_pivot_fwd tl pivot;
+ (ls0,ls1) <<- p;
+ l <<- ls0;
+ Return (BetreeListCons (i,t) l,ls1)
+ od)
+ | BetreeListNil => Return (BetreeListNil,BetreeListNil)
+
+ [betree_list_pop_front_back_def] Definition
+
+ ⊢ ∀self.
+ betree_list_pop_front_back self =
+ (let
+ ls = mem_replace_fwd self BetreeListNil
+ in
+ case ls of
+ BetreeListCons x tl => Return tl
+ | BetreeListNil => Fail Failure)
+
+ [betree_list_pop_front_fwd_def] Definition
+
+ ⊢ ∀self.
+ betree_list_pop_front_fwd self =
+ (let
+ ls = mem_replace_fwd self BetreeListNil
+ in
+ case ls of
+ BetreeListCons x tl => Return x
+ | BetreeListNil => Fail Failure)
+
+ [betree_list_push_front_fwd_back_def] Definition
+
+ ⊢ ∀self x.
+ betree_list_push_front_fwd_back self x =
+ (let
+ tl = mem_replace_fwd self BetreeListNil;
+ l = tl
+ in
+ Return (BetreeListCons x l))
+
+ [betree_list_split_at_fwd_def] Definition
+
+ ⊢ ∀self n.
+ betree_list_split_at_fwd self n =
+ if n = int_to_u64 0 then Return (BetreeListNil,self)
+ else
+ case self of
+ BetreeListCons hd tl =>
+ do
+ i <- u64_sub n (int_to_u64 1);
+ p <- betree_list_split_at_fwd tl i;
+ (ls0,ls1) <<- p;
+ l <<- ls0;
+ Return (BetreeListCons hd l,ls1)
+ od
+ | BetreeListNil => Fail Failure
+
+ [betree_load_internal_node_fwd_def] Definition
+
+ ⊢ ∀id st.
+ betree_load_internal_node_fwd id st =
+ betree_utils_load_internal_node_fwd id st
+
+ [betree_load_leaf_node_fwd_def] Definition
+
+ ⊢ ∀id st.
+ betree_load_leaf_node_fwd id st =
+ betree_utils_load_leaf_node_fwd id st
+
+ [betree_node_apply_back_def] Definition
+
+ ⊢ ∀self params node_id_cnt key new_msg st.
+ betree_node_apply_back self params node_id_cnt key new_msg st =
+ (let
+ l = BetreeListNil
+ in
+ betree_node_apply_messages_back self params node_id_cnt
+ (BetreeListCons (key,new_msg) l) st)
+
+ [betree_node_apply_fwd_def] Definition
+
+ ⊢ ∀self params node_id_cnt key new_msg st.
+ betree_node_apply_fwd self params node_id_cnt key new_msg st =
+ (let
+ l = BetreeListNil
+ in
+ do
+ (st0,_) <-
+ betree_node_apply_messages_fwd self params node_id_cnt
+ (BetreeListCons (key,new_msg) l) st;
+ monad_ignore_bind
+ (betree_node_apply_messages_back self params node_id_cnt
+ (BetreeListCons (key,new_msg) l) st) (Return (st0,()))
+ od)
+
+ [betree_node_apply_messages_back_def] Definition
+
+ ⊢ ∀self params node_id_cnt msgs st.
+ betree_node_apply_messages_back self params node_id_cnt msgs st =
+ case self of
+ BetreeNodeInternal node =>
+ do
+ (st0,content) <-
+ betree_load_internal_node_fwd node.betree_internal_id st;
+ content0 <-
+ betree_node_apply_messages_to_internal_fwd_back content
+ msgs;
+ num_msgs <- betree_list_len_fwd content0;
+ if u64_ge num_msgs params.betree_params_min_flush_size then
+ do
+ (st1,content1) <-
+ betree_internal_flush_fwd node params node_id_cnt
+ content0 st0;
+ (node0,node_id_cnt0) <-
+ betree_internal_flush_back node params node_id_cnt
+ content0 st0;
+ monad_ignore_bind
+ (betree_store_internal_node_fwd
+ node0.betree_internal_id content1 st1)
+ (Return (BetreeNodeInternal node0,node_id_cnt0))
+ od
+ else
+ monad_ignore_bind
+ (betree_store_internal_node_fwd node.betree_internal_id
+ content0 st0)
+ (Return (BetreeNodeInternal node,node_id_cnt))
+ od
+ | BetreeNodeLeaf node' =>
+ do
+ (st0,content) <-
+ betree_load_leaf_node_fwd node'.betree_leaf_id st;
+ content0 <-
+ betree_node_apply_messages_to_leaf_fwd_back content msgs;
+ len <- betree_list_len_fwd content0;
+ i <- u64_mul (int_to_u64 2) params.betree_params_split_size;
+ if u64_ge len i then
+ do
+ (st1,new_node) <-
+ betree_leaf_split_fwd node' content0 params node_id_cnt
+ st0;
+ monad_ignore_bind
+ (betree_store_leaf_node_fwd node'.betree_leaf_id
+ BetreeListNil st1)
+ do
+ node_id_cnt0 <-
+ betree_leaf_split_back node' content0 params
+ node_id_cnt st0;
+ Return (BetreeNodeInternal new_node,node_id_cnt0)
+ od
+ od
+ else
+ monad_ignore_bind
+ (betree_store_leaf_node_fwd node'.betree_leaf_id content0
+ st0)
+ (Return
+ (BetreeNodeLeaf (node' with betree_leaf_size := len),
+ node_id_cnt))
+ od
+
+ [betree_node_apply_messages_fwd_def] Definition
+
+ ⊢ ∀self params node_id_cnt msgs st.
+ betree_node_apply_messages_fwd self params node_id_cnt msgs st =
+ case self of
+ BetreeNodeInternal node =>
+ do
+ (st0,content) <-
+ betree_load_internal_node_fwd node.betree_internal_id st;
+ content0 <-
+ betree_node_apply_messages_to_internal_fwd_back content
+ msgs;
+ num_msgs <- betree_list_len_fwd content0;
+ if u64_ge num_msgs params.betree_params_min_flush_size then
+ do
+ (st1,content1) <-
+ betree_internal_flush_fwd node params node_id_cnt
+ content0 st0;
+ (node0,_) <-
+ betree_internal_flush_back node params node_id_cnt
+ content0 st0;
+ (st2,_) <-
+ betree_store_internal_node_fwd
+ node0.betree_internal_id content1 st1;
+ Return (st2,())
+ od
+ else
+ do
+ (st1,_) <-
+ betree_store_internal_node_fwd
+ node.betree_internal_id content0 st0;
+ Return (st1,())
+ od
+ od
+ | BetreeNodeLeaf node' =>
+ do
+ (st0,content) <-
+ betree_load_leaf_node_fwd node'.betree_leaf_id st;
+ content0 <-
+ betree_node_apply_messages_to_leaf_fwd_back content msgs;
+ len <- betree_list_len_fwd content0;
+ i <- u64_mul (int_to_u64 2) params.betree_params_split_size;
+ if u64_ge len i then
+ do
+ (st1,_) <-
+ betree_leaf_split_fwd node' content0 params node_id_cnt
+ st0;
+ (st2,_) <-
+ betree_store_leaf_node_fwd node'.betree_leaf_id
+ BetreeListNil st1;
+ Return (st2,())
+ od
+ else
+ do
+ (st1,_) <-
+ betree_store_leaf_node_fwd node'.betree_leaf_id
+ content0 st0;
+ Return (st1,())
+ od
+ od
+
+ [betree_node_apply_messages_to_internal_fwd_back_def] Definition
+
+ ⊢ ∀msgs new_msgs.
+ betree_node_apply_messages_to_internal_fwd_back msgs new_msgs =
+ case new_msgs of
+ BetreeListCons new_msg new_msgs_tl =>
+ (let
+ (i,m) = new_msg
+ in
+ do
+ msgs0 <- betree_node_apply_to_internal_fwd_back msgs i m;
+ betree_node_apply_messages_to_internal_fwd_back msgs0
+ new_msgs_tl
+ od)
+ | BetreeListNil => Return msgs
+
+ [betree_node_apply_messages_to_leaf_fwd_back_def] Definition
+
+ ⊢ ∀bindings new_msgs.
+ betree_node_apply_messages_to_leaf_fwd_back bindings new_msgs =
+ case new_msgs of
+ BetreeListCons new_msg new_msgs_tl =>
+ (let
+ (i,m) = new_msg
+ in
+ do
+ bindings0 <-
+ betree_node_apply_to_leaf_fwd_back bindings i m;
+ betree_node_apply_messages_to_leaf_fwd_back bindings0
+ new_msgs_tl
+ od)
+ | BetreeListNil => Return bindings
+
+ [betree_node_apply_to_internal_fwd_back_def] Definition
+
+ ⊢ ∀msgs key new_msg.
+ betree_node_apply_to_internal_fwd_back msgs key new_msg =
+ do
+ msgs0 <- betree_node_lookup_first_message_for_key_fwd key msgs;
+ b <- betree_list_head_has_key_fwd msgs0 key;
+ if b then
+ case new_msg of
+ BetreeMessageInsert i =>
+ do
+ msgs1 <-
+ betree_node_filter_messages_for_key_fwd_back key
+ msgs0;
+ msgs2 <-
+ betree_list_push_front_fwd_back msgs1
+ (key,BetreeMessageInsert i);
+ betree_node_lookup_first_message_for_key_back key msgs
+ msgs2
+ od
+ | BetreeMessageDelete =>
+ do
+ msgs1 <-
+ betree_node_filter_messages_for_key_fwd_back key msgs0;
+ msgs2 <-
+ betree_list_push_front_fwd_back msgs1
+ (key,BetreeMessageDelete);
+ betree_node_lookup_first_message_for_key_back key msgs
+ msgs2
+ od
+ | BetreeMessageUpsert s =>
+ do
+ p <- betree_list_hd_fwd msgs0;
+ (_,m) <<- p;
+ case m of
+ BetreeMessageInsert prev =>
+ do
+ v <- betree_upsert_update_fwd (SOME prev) s;
+ msgs1 <- betree_list_pop_front_back msgs0;
+ msgs2 <-
+ betree_list_push_front_fwd_back msgs1
+ (key,BetreeMessageInsert v);
+ betree_node_lookup_first_message_for_key_back key
+ msgs msgs2
+ od
+ | BetreeMessageDelete =>
+ do
+ v <- betree_upsert_update_fwd NONE s;
+ msgs1 <- betree_list_pop_front_back msgs0;
+ msgs2 <-
+ betree_list_push_front_fwd_back msgs1
+ (key,BetreeMessageInsert v);
+ betree_node_lookup_first_message_for_key_back key
+ msgs msgs2
+ od
+ | BetreeMessageUpsert ufs =>
+ do
+ msgs1 <-
+ betree_node_lookup_first_message_after_key_fwd key
+ msgs0;
+ msgs2 <-
+ betree_list_push_front_fwd_back msgs1
+ (key,BetreeMessageUpsert s);
+ msgs3 <-
+ betree_node_lookup_first_message_after_key_back key
+ msgs0 msgs2;
+ betree_node_lookup_first_message_for_key_back key
+ msgs msgs3
+ od
+ od
+ else
+ do
+ msgs1 <-
+ betree_list_push_front_fwd_back msgs0 (key,new_msg);
+ betree_node_lookup_first_message_for_key_back key msgs
+ msgs1
+ od
+ od
+
+ [betree_node_apply_to_leaf_fwd_back_def] Definition
+
+ ⊢ ∀bindings key new_msg.
+ betree_node_apply_to_leaf_fwd_back bindings key new_msg =
+ do
+ bindings0 <-
+ betree_node_lookup_mut_in_bindings_fwd key bindings;
+ b <- betree_list_head_has_key_fwd bindings0 key;
+ if b then
+ do
+ hd <- betree_list_pop_front_fwd bindings0;
+ case new_msg of
+ BetreeMessageInsert v =>
+ do
+ bindings1 <- betree_list_pop_front_back bindings0;
+ bindings2 <-
+ betree_list_push_front_fwd_back bindings1 (key,v);
+ betree_node_lookup_mut_in_bindings_back key bindings
+ bindings2
+ od
+ | BetreeMessageDelete =>
+ do
+ bindings1 <- betree_list_pop_front_back bindings0;
+ betree_node_lookup_mut_in_bindings_back key bindings
+ bindings1
+ od
+ | BetreeMessageUpsert s =>
+ (let
+ (_,i) = hd
+ in
+ do
+ v <- betree_upsert_update_fwd (SOME i) s;
+ bindings1 <- betree_list_pop_front_back bindings0;
+ bindings2 <-
+ betree_list_push_front_fwd_back bindings1 (key,v);
+ betree_node_lookup_mut_in_bindings_back key bindings
+ bindings2
+ od)
+ od
+ else
+ case new_msg of
+ BetreeMessageInsert v =>
+ do
+ bindings1 <-
+ betree_list_push_front_fwd_back bindings0 (key,v);
+ betree_node_lookup_mut_in_bindings_back key bindings
+ bindings1
+ od
+ | BetreeMessageDelete =>
+ betree_node_lookup_mut_in_bindings_back key bindings
+ bindings0
+ | BetreeMessageUpsert s =>
+ do
+ v <- betree_upsert_update_fwd NONE s;
+ bindings1 <-
+ betree_list_push_front_fwd_back bindings0 (key,v);
+ betree_node_lookup_mut_in_bindings_back key bindings
+ bindings1
+ od
+ od
+
+ [betree_node_apply_upserts_back_def] Definition
+
+ ⊢ ∀msgs prev key st.
+ betree_node_apply_upserts_back msgs prev key st =
+ do
+ b <- betree_list_head_has_key_fwd msgs key;
+ if b then
+ do
+ msg <- betree_list_pop_front_fwd msgs;
+ (_,m) <<- msg;
+ case m of
+ BetreeMessageInsert i => Fail Failure
+ | BetreeMessageDelete => Fail Failure
+ | BetreeMessageUpsert s =>
+ do
+ v <- betree_upsert_update_fwd prev s;
+ msgs0 <- betree_list_pop_front_back msgs;
+ betree_node_apply_upserts_back msgs0 (SOME v) key st
+ od
+ od
+ else
+ do
+ (_,v) <- core_option_option_unwrap_fwd prev st;
+ betree_list_push_front_fwd_back msgs
+ (key,BetreeMessageInsert v)
+ od
+ od
+
+ [betree_node_apply_upserts_fwd_def] Definition
+
+ ⊢ ∀msgs prev key st.
+ betree_node_apply_upserts_fwd msgs prev key st =
+ do
+ b <- betree_list_head_has_key_fwd msgs key;
+ if b then
+ do
+ msg <- betree_list_pop_front_fwd msgs;
+ (_,m) <<- msg;
+ case m of
+ BetreeMessageInsert i => Fail Failure
+ | BetreeMessageDelete => Fail Failure
+ | BetreeMessageUpsert s =>
+ do
+ v <- betree_upsert_update_fwd prev s;
+ msgs0 <- betree_list_pop_front_back msgs;
+ betree_node_apply_upserts_fwd msgs0 (SOME v) key st
+ od
+ od
+ else
+ do
+ (st0,v) <- core_option_option_unwrap_fwd prev st;
+ monad_ignore_bind
+ (betree_list_push_front_fwd_back msgs
+ (key,BetreeMessageInsert v)) (Return (st0,v))
+ od
+ od
+
+ [betree_node_filter_messages_for_key_fwd_back_def] Definition
+
+ ⊢ ∀key msgs.
+ betree_node_filter_messages_for_key_fwd_back key msgs =
+ case msgs of
+ BetreeListCons p l =>
+ (let
+ (k,m) = p
+ in
+ if k = key then
+ do
+ msgs0 <-
+ betree_list_pop_front_back (BetreeListCons (k,m) l);
+ betree_node_filter_messages_for_key_fwd_back key msgs0
+ od
+ else Return (BetreeListCons (k,m) l))
+ | BetreeListNil => Return BetreeListNil
+
+ [betree_node_id_counter_fresh_id_back_def] Definition
+
+ ⊢ ∀self.
+ betree_node_id_counter_fresh_id_back self =
+ do
+ i <-
+ u64_add self.betree_node_id_counter_next_node_id
+ (int_to_u64 1);
+ Return <|betree_node_id_counter_next_node_id := i|>
+ od
+
+ [betree_node_id_counter_fresh_id_fwd_def] Definition
+
+ ⊢ ∀self.
+ betree_node_id_counter_fresh_id_fwd self =
+ monad_ignore_bind
+ (u64_add self.betree_node_id_counter_next_node_id
+ (int_to_u64 1))
+ (Return self.betree_node_id_counter_next_node_id)
+
+ [betree_node_id_counter_new_fwd_def] Definition
+
+ ⊢ betree_node_id_counter_new_fwd =
+ Return <|betree_node_id_counter_next_node_id := int_to_u64 0|>
+
+ [betree_node_lookup_back_def] Definition
+
+ ⊢ ∀self key st.
+ betree_node_lookup_back self key st =
+ case self of
+ BetreeNodeInternal node =>
+ do
+ (st0,msgs) <-
+ betree_load_internal_node_fwd node.betree_internal_id st;
+ pending <-
+ betree_node_lookup_first_message_for_key_fwd key msgs;
+ case pending of
+ BetreeListCons p l =>
+ (let
+ (k,msg) = p
+ in
+ if k ≠ key then
+ monad_ignore_bind
+ (betree_node_lookup_first_message_for_key_back
+ key msgs (BetreeListCons (k,msg) l))
+ do
+ node0 <-
+ betree_internal_lookup_in_children_back node
+ key st0;
+ Return (BetreeNodeInternal node0)
+ od
+ else
+ case msg of
+ BetreeMessageInsert v =>
+ monad_ignore_bind
+ (betree_node_lookup_first_message_for_key_back
+ key msgs
+ (BetreeListCons (k,BetreeMessageInsert v)
+ l)) (Return (BetreeNodeInternal node))
+ | BetreeMessageDelete =>
+ monad_ignore_bind
+ (betree_node_lookup_first_message_for_key_back
+ key msgs
+ (BetreeListCons (k,BetreeMessageDelete) l))
+ (Return (BetreeNodeInternal node))
+ | BetreeMessageUpsert ufs =>
+ do
+ (st1,v) <-
+ betree_internal_lookup_in_children_fwd node
+ key st0;
+ (st2,_) <-
+ betree_node_apply_upserts_fwd
+ (BetreeListCons
+ (k,BetreeMessageUpsert ufs) l) v key
+ st1;
+ node0 <-
+ betree_internal_lookup_in_children_back node
+ key st0;
+ pending0 <-
+ betree_node_apply_upserts_back
+ (BetreeListCons
+ (k,BetreeMessageUpsert ufs) l) v key
+ st1;
+ msgs0 <-
+ betree_node_lookup_first_message_for_key_back
+ key msgs pending0;
+ monad_ignore_bind
+ (betree_store_internal_node_fwd
+ node0.betree_internal_id msgs0 st2)
+ (Return (BetreeNodeInternal node0))
+ od)
+ | BetreeListNil =>
+ monad_ignore_bind
+ (betree_node_lookup_first_message_for_key_back key msgs
+ BetreeListNil)
+ do
+ node0 <-
+ betree_internal_lookup_in_children_back node key
+ st0;
+ Return (BetreeNodeInternal node0)
+ od
+ od
+ | BetreeNodeLeaf node' =>
+ do
+ (_,bindings) <-
+ betree_load_leaf_node_fwd node'.betree_leaf_id st;
+ monad_ignore_bind
+ (betree_node_lookup_in_bindings_fwd key bindings)
+ (Return (BetreeNodeLeaf node'))
+ od
+
+ [betree_node_lookup_first_message_after_key_back_def] Definition
+
+ ⊢ ∀key msgs ret.
+ betree_node_lookup_first_message_after_key_back key msgs ret =
+ case msgs of
+ BetreeListCons p next_msgs =>
+ (let
+ (k,m) = p
+ in
+ if k = key then
+ do
+ next_msgs0 <-
+ betree_node_lookup_first_message_after_key_back key
+ next_msgs ret;
+ Return (BetreeListCons (k,m) next_msgs0)
+ od
+ else Return ret)
+ | BetreeListNil => Return ret
+
+ [betree_node_lookup_first_message_after_key_fwd_def] Definition
+
+ ⊢ ∀key msgs.
+ betree_node_lookup_first_message_after_key_fwd key msgs =
+ case msgs of
+ BetreeListCons p next_msgs =>
+ (let
+ (k,m) = p
+ in
+ if k = key then
+ betree_node_lookup_first_message_after_key_fwd key
+ next_msgs
+ else Return (BetreeListCons (k,m) next_msgs))
+ | BetreeListNil => Return BetreeListNil
+
+ [betree_node_lookup_first_message_for_key_back_def] Definition
+
+ ⊢ ∀key msgs ret.
+ betree_node_lookup_first_message_for_key_back key msgs ret =
+ case msgs of
+ BetreeListCons x next_msgs =>
+ (let
+ (i,m) = x
+ in
+ if u64_ge i key then Return ret
+ else
+ do
+ next_msgs0 <-
+ betree_node_lookup_first_message_for_key_back key
+ next_msgs ret;
+ Return (BetreeListCons (i,m) next_msgs0)
+ od)
+ | BetreeListNil => Return ret
+
+ [betree_node_lookup_first_message_for_key_fwd_def] Definition
+
+ ⊢ ∀key msgs.
+ betree_node_lookup_first_message_for_key_fwd key msgs =
+ case msgs of
+ BetreeListCons x next_msgs =>
+ (let
+ (i,m) = x
+ in
+ if u64_ge i key then
+ Return (BetreeListCons (i,m) next_msgs)
+ else
+ betree_node_lookup_first_message_for_key_fwd key
+ next_msgs)
+ | BetreeListNil => Return BetreeListNil
+
+ [betree_node_lookup_fwd_def] Definition
+
+ ⊢ ∀self key st.
+ betree_node_lookup_fwd self key st =
+ case self of
+ BetreeNodeInternal node =>
+ do
+ (st0,msgs) <-
+ betree_load_internal_node_fwd node.betree_internal_id st;
+ pending <-
+ betree_node_lookup_first_message_for_key_fwd key msgs;
+ case pending of
+ BetreeListCons p l =>
+ (let
+ (k,msg) = p
+ in
+ if k ≠ key then
+ do
+ (st1,opt) <-
+ betree_internal_lookup_in_children_fwd node
+ key st0;
+ monad_ignore_bind
+ (betree_node_lookup_first_message_for_key_back
+ key msgs (BetreeListCons (k,msg) l))
+ (Return (st1,opt))
+ od
+ else
+ case msg of
+ BetreeMessageInsert v =>
+ monad_ignore_bind
+ (betree_node_lookup_first_message_for_key_back
+ key msgs
+ (BetreeListCons (k,BetreeMessageInsert v)
+ l)) (Return (st0,SOME v))
+ | BetreeMessageDelete =>
+ monad_ignore_bind
+ (betree_node_lookup_first_message_for_key_back
+ key msgs
+ (BetreeListCons (k,BetreeMessageDelete) l))
+ (Return (st0,NONE))
+ | BetreeMessageUpsert ufs =>
+ do
+ (st1,v) <-
+ betree_internal_lookup_in_children_fwd node
+ key st0;
+ (st2,v0) <-
+ betree_node_apply_upserts_fwd
+ (BetreeListCons
+ (k,BetreeMessageUpsert ufs) l) v key
+ st1;
+ node0 <-
+ betree_internal_lookup_in_children_back node
+ key st0;
+ pending0 <-
+ betree_node_apply_upserts_back
+ (BetreeListCons
+ (k,BetreeMessageUpsert ufs) l) v key
+ st1;
+ msgs0 <-
+ betree_node_lookup_first_message_for_key_back
+ key msgs pending0;
+ (st3,_) <-
+ betree_store_internal_node_fwd
+ node0.betree_internal_id msgs0 st2;
+ Return (st3,SOME v0)
+ od)
+ | BetreeListNil =>
+ do
+ (st1,opt) <-
+ betree_internal_lookup_in_children_fwd node key st0;
+ monad_ignore_bind
+ (betree_node_lookup_first_message_for_key_back key
+ msgs BetreeListNil) (Return (st1,opt))
+ od
+ od
+ | BetreeNodeLeaf node' =>
+ do
+ (st0,bindings) <-
+ betree_load_leaf_node_fwd node'.betree_leaf_id st;
+ opt <- betree_node_lookup_in_bindings_fwd key bindings;
+ Return (st0,opt)
+ od
+
+ [betree_node_lookup_in_bindings_fwd_def] Definition
+
+ ⊢ ∀key bindings.
+ betree_node_lookup_in_bindings_fwd key bindings =
+ case bindings of
+ BetreeListCons hd tl =>
+ (let
+ (i,i0) = hd
+ in
+ if i = key then Return (SOME i0)
+ else if u64_gt i key then Return NONE
+ else betree_node_lookup_in_bindings_fwd key tl)
+ | BetreeListNil => Return NONE
+
+ [betree_node_lookup_mut_in_bindings_back_def] Definition
+
+ ⊢ ∀key bindings ret.
+ betree_node_lookup_mut_in_bindings_back key bindings ret =
+ case bindings of
+ BetreeListCons hd tl =>
+ (let
+ (i,i0) = hd
+ in
+ if u64_ge i key then Return ret
+ else
+ do
+ tl0 <-
+ betree_node_lookup_mut_in_bindings_back key tl ret;
+ Return (BetreeListCons (i,i0) tl0)
+ od)
+ | BetreeListNil => Return ret
+
+ [betree_node_lookup_mut_in_bindings_fwd_def] Definition
+
+ ⊢ ∀key bindings.
+ betree_node_lookup_mut_in_bindings_fwd key bindings =
+ case bindings of
+ BetreeListCons hd tl =>
+ (let
+ (i,i0) = hd
+ in
+ if u64_ge i key then Return (BetreeListCons (i,i0) tl)
+ else betree_node_lookup_mut_in_bindings_fwd key tl)
+ | BetreeListNil => Return BetreeListNil
+
+ [betree_store_internal_node_fwd_def] Definition
+
+ ⊢ ∀id content st.
+ betree_store_internal_node_fwd id content st =
+ do
+ (st0,_) <- betree_utils_store_internal_node_fwd id content st;
+ Return (st0,())
+ od
+
+ [betree_store_leaf_node_fwd_def] Definition
+
+ ⊢ ∀id content st.
+ betree_store_leaf_node_fwd id content st =
+ do
+ (st0,_) <- betree_utils_store_leaf_node_fwd id content st;
+ Return (st0,())
+ od
+
+ [betree_upsert_update_fwd_def] Definition
+
+ ⊢ ∀prev st.
+ betree_upsert_update_fwd prev st =
+ case prev of
+ NONE =>
+ (case st of
+ BetreeUpsertFunStateAdd v => Return v
+ | BetreeUpsertFunStateSub i => Return (int_to_u64 0))
+ | SOME prev0 =>
+ case st of
+ BetreeUpsertFunStateAdd v =>
+ do
+ margin <- u64_sub core_num_u64_max_c prev0;
+ if u64_ge margin v then u64_add prev0 v
+ else Return core_num_u64_max_c
+ od
+ | BetreeUpsertFunStateSub v' =>
+ if u64_ge prev0 v' then u64_sub prev0 v'
+ else Return (int_to_u64 0)
+
+ [core_num_u64_max_body_def] Definition
+
+ ⊢ core_num_u64_max_body = Return (int_to_u64 18446744073709551615)
+
+ [core_num_u64_max_c_def] Definition
+
+ ⊢ core_num_u64_max_c = get_return_value core_num_u64_max_body
+
+ [main_fwd_def] Definition
+
+ ⊢ main_fwd = Return ()
+
+
+*)
+end
diff --git a/tests/hol4/betree/betreeMain_OpaqueScript.sml b/tests/hol4/betree/betreeMain_OpaqueScript.sml
new file mode 100644
index 00000000..a6f0cf15
--- /dev/null
+++ b/tests/hol4/betree/betreeMain_OpaqueScript.sml
@@ -0,0 +1,26 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [betree_main]: opaque function definitions *)
+open primitivesLib divDefLib
+open betreeMain_TypesTheory
+
+val _ = new_theory "betreeMain_Opaque"
+
+
+val _ = new_constant ("betree_utils_load_internal_node_fwd",
+ “:u64 -> state -> (state # (u64 # betree_message_t) betree_list_t)
+ result”)
+
+val _ = new_constant ("betree_utils_store_internal_node_fwd",
+ “:u64 -> (u64 # betree_message_t) betree_list_t -> state -> (state # unit)
+ result”)
+
+val _ = new_constant ("betree_utils_load_leaf_node_fwd",
+ “:u64 -> state -> (state # (u64 # u64) betree_list_t) result”)
+
+val _ = new_constant ("betree_utils_store_leaf_node_fwd",
+ “:u64 -> (u64 # u64) betree_list_t -> state -> (state # unit) result”)
+
+val _ = new_constant ("core_option_option_unwrap_fwd",
+ “:'t option -> state -> (state # 't) result”)
+
+val _ = export_theory ()
diff --git a/tests/hol4/betree/betreeMain_OpaqueTheory.sig b/tests/hol4/betree/betreeMain_OpaqueTheory.sig
new file mode 100644
index 00000000..da7559a0
--- /dev/null
+++ b/tests/hol4/betree/betreeMain_OpaqueTheory.sig
@@ -0,0 +1,11 @@
+signature betreeMain_OpaqueTheory =
+sig
+ type thm = Thm.thm
+
+ val betreeMain_Opaque_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [betreeMain_Types] Parent theory of "betreeMain_Opaque"
+
+
+*)
+end
diff --git a/tests/hol4/betree/betreeMain_TypesScript.sml b/tests/hol4/betree/betreeMain_TypesScript.sml
new file mode 100644
index 00000000..c43421c2
--- /dev/null
+++ b/tests/hol4/betree/betreeMain_TypesScript.sml
@@ -0,0 +1,76 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [betree_main]: type definitions *)
+open primitivesLib divDefLib
+
+val _ = new_theory "betreeMain_Types"
+
+
+Datatype:
+ (** [betree_main::betree::List] *)
+ betree_list_t = | BetreeListCons 't betree_list_t | BetreeListNil
+End
+
+Datatype:
+ (** [betree_main::betree::UpsertFunState] *)
+ betree_upsert_fun_state_t =
+ | BetreeUpsertFunStateAdd u64
+ | BetreeUpsertFunStateSub u64
+End
+
+Datatype:
+ (** [betree_main::betree::Message] *)
+ betree_message_t =
+ | BetreeMessageInsert u64
+ | BetreeMessageDelete
+ | BetreeMessageUpsert betree_upsert_fun_state_t
+End
+
+Datatype:
+ (** [betree_main::betree::Leaf] *)
+ betree_leaf_t = <| betree_leaf_id : u64; betree_leaf_size : u64; |>
+End
+
+Datatype:
+ (** [betree_main::betree::Node] *)
+ betree_node_t =
+ | BetreeNodeInternal betree_internal_t
+ | BetreeNodeLeaf betree_leaf_t
+ ;
+
+ (** [betree_main::betree::Internal] *)
+ betree_internal_t =
+ <|
+ betree_internal_id : u64;
+ betree_internal_pivot : u64;
+ betree_internal_left : betree_node_t;
+ betree_internal_right : betree_node_t;
+ |>
+End
+
+Datatype:
+ (** [betree_main::betree::Params] *)
+ betree_params_t =
+ <|
+ betree_params_min_flush_size : u64; betree_params_split_size : u64;
+ |>
+End
+
+Datatype:
+ (** [betree_main::betree::NodeIdCounter] *)
+ betree_node_id_counter_t = <| betree_node_id_counter_next_node_id : u64; |>
+End
+
+Datatype:
+ (** [betree_main::betree::BeTree] *)
+ betree_be_tree_t =
+ <|
+ betree_be_tree_params : betree_params_t;
+ betree_be_tree_node_id_cnt : betree_node_id_counter_t;
+ betree_be_tree_root : betree_node_t;
+ |>
+End
+
+(** The state type used in the state-error monad *)
+val _ = new_type ("state", 0)
+
+val _ = export_theory ()
diff --git a/tests/hol4/betree/betreeMain_TypesTheory.sig b/tests/hol4/betree/betreeMain_TypesTheory.sig
new file mode 100644
index 00000000..5cbe4c6b
--- /dev/null
+++ b/tests/hol4/betree/betreeMain_TypesTheory.sig
@@ -0,0 +1,1751 @@
+signature betreeMain_TypesTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val betree_be_tree_t_TY_DEF : thm
+ val betree_be_tree_t_case_def : thm
+ val betree_be_tree_t_size_def : thm
+ val betree_internal_t_TY_DEF : thm
+ val betree_internal_t_case_def : thm
+ val betree_leaf_t_TY_DEF : thm
+ val betree_leaf_t_case_def : thm
+ val betree_leaf_t_size_def : thm
+ val betree_list_t_TY_DEF : thm
+ val betree_list_t_case_def : thm
+ val betree_list_t_size_def : thm
+ val betree_message_t_TY_DEF : thm
+ val betree_message_t_case_def : thm
+ val betree_message_t_size_def : thm
+ val betree_node_id_counter_t_TY_DEF : thm
+ val betree_node_id_counter_t_case_def : thm
+ val betree_node_id_counter_t_size_def : thm
+ val betree_node_t_TY_DEF : thm
+ val betree_node_t_case_def : thm
+ val betree_node_t_size_def : thm
+ val betree_params_t_TY_DEF : thm
+ val betree_params_t_case_def : thm
+ val betree_params_t_size_def : thm
+ val betree_upsert_fun_state_t_TY_DEF : thm
+ val betree_upsert_fun_state_t_case_def : thm
+ val betree_upsert_fun_state_t_size_def : thm
+ val recordtype_betree_be_tree_t_seldef_betree_be_tree_node_id_cnt_def : thm
+ val recordtype_betree_be_tree_t_seldef_betree_be_tree_node_id_cnt_fupd_def : thm
+ val recordtype_betree_be_tree_t_seldef_betree_be_tree_params_def : thm
+ val recordtype_betree_be_tree_t_seldef_betree_be_tree_params_fupd_def : thm
+ val recordtype_betree_be_tree_t_seldef_betree_be_tree_root_def : thm
+ val recordtype_betree_be_tree_t_seldef_betree_be_tree_root_fupd_def : thm
+ val recordtype_betree_internal_t_seldef_betree_internal_id_def : thm
+ val recordtype_betree_internal_t_seldef_betree_internal_id_fupd_def : thm
+ val recordtype_betree_internal_t_seldef_betree_internal_left_def : thm
+ val recordtype_betree_internal_t_seldef_betree_internal_left_fupd_def : thm
+ val recordtype_betree_internal_t_seldef_betree_internal_pivot_def : thm
+ val recordtype_betree_internal_t_seldef_betree_internal_pivot_fupd_def : thm
+ val recordtype_betree_internal_t_seldef_betree_internal_right_def : thm
+ val recordtype_betree_internal_t_seldef_betree_internal_right_fupd_def : thm
+ val recordtype_betree_leaf_t_seldef_betree_leaf_id_def : thm
+ val recordtype_betree_leaf_t_seldef_betree_leaf_id_fupd_def : thm
+ val recordtype_betree_leaf_t_seldef_betree_leaf_size_def : thm
+ val recordtype_betree_leaf_t_seldef_betree_leaf_size_fupd_def : thm
+ val recordtype_betree_node_id_counter_t_seldef_betree_node_id_counter_next_node_id_def : thm
+ val recordtype_betree_node_id_counter_t_seldef_betree_node_id_counter_next_node_id_fupd_def : thm
+ val recordtype_betree_params_t_seldef_betree_params_min_flush_size_def : thm
+ val recordtype_betree_params_t_seldef_betree_params_min_flush_size_fupd_def : thm
+ val recordtype_betree_params_t_seldef_betree_params_split_size_def : thm
+ val recordtype_betree_params_t_seldef_betree_params_split_size_fupd_def : thm
+
+ (* Theorems *)
+ val EXISTS_betree_be_tree_t : thm
+ val EXISTS_betree_internal_t : thm
+ val EXISTS_betree_leaf_t : thm
+ val EXISTS_betree_node_id_counter_t : thm
+ val EXISTS_betree_params_t : thm
+ val FORALL_betree_be_tree_t : thm
+ val FORALL_betree_internal_t : thm
+ val FORALL_betree_leaf_t : thm
+ val FORALL_betree_node_id_counter_t : thm
+ val FORALL_betree_params_t : thm
+ val betree_be_tree_t_11 : thm
+ val betree_be_tree_t_Axiom : thm
+ val betree_be_tree_t_accessors : thm
+ val betree_be_tree_t_accfupds : thm
+ val betree_be_tree_t_case_cong : thm
+ val betree_be_tree_t_case_eq : thm
+ val betree_be_tree_t_component_equality : thm
+ val betree_be_tree_t_fn_updates : thm
+ val betree_be_tree_t_fupdcanon : thm
+ val betree_be_tree_t_fupdcanon_comp : thm
+ val betree_be_tree_t_fupdfupds : thm
+ val betree_be_tree_t_fupdfupds_comp : thm
+ val betree_be_tree_t_induction : thm
+ val betree_be_tree_t_literal_11 : thm
+ val betree_be_tree_t_literal_nchotomy : thm
+ val betree_be_tree_t_nchotomy : thm
+ val betree_be_tree_t_updates_eq_literal : thm
+ val betree_internal_t_11 : thm
+ val betree_internal_t_Axiom : thm
+ val betree_internal_t_accessors : thm
+ val betree_internal_t_accfupds : thm
+ val betree_internal_t_case_cong : thm
+ val betree_internal_t_case_eq : thm
+ val betree_internal_t_component_equality : thm
+ val betree_internal_t_fn_updates : thm
+ val betree_internal_t_fupdcanon : thm
+ val betree_internal_t_fupdcanon_comp : thm
+ val betree_internal_t_fupdfupds : thm
+ val betree_internal_t_fupdfupds_comp : thm
+ val betree_internal_t_induction : thm
+ val betree_internal_t_literal_11 : thm
+ val betree_internal_t_literal_nchotomy : thm
+ val betree_internal_t_nchotomy : thm
+ val betree_internal_t_updates_eq_literal : thm
+ val betree_leaf_t_11 : thm
+ val betree_leaf_t_Axiom : thm
+ val betree_leaf_t_accessors : thm
+ val betree_leaf_t_accfupds : thm
+ val betree_leaf_t_case_cong : thm
+ val betree_leaf_t_case_eq : thm
+ val betree_leaf_t_component_equality : thm
+ val betree_leaf_t_fn_updates : thm
+ val betree_leaf_t_fupdcanon : thm
+ val betree_leaf_t_fupdcanon_comp : thm
+ val betree_leaf_t_fupdfupds : thm
+ val betree_leaf_t_fupdfupds_comp : thm
+ val betree_leaf_t_induction : thm
+ val betree_leaf_t_literal_11 : thm
+ val betree_leaf_t_literal_nchotomy : thm
+ val betree_leaf_t_nchotomy : thm
+ val betree_leaf_t_updates_eq_literal : thm
+ val betree_list_t_11 : thm
+ val betree_list_t_Axiom : thm
+ val betree_list_t_case_cong : thm
+ val betree_list_t_case_eq : thm
+ val betree_list_t_distinct : thm
+ val betree_list_t_induction : thm
+ val betree_list_t_nchotomy : thm
+ val betree_message_t_11 : thm
+ val betree_message_t_Axiom : thm
+ val betree_message_t_case_cong : thm
+ val betree_message_t_case_eq : thm
+ val betree_message_t_distinct : thm
+ val betree_message_t_induction : thm
+ val betree_message_t_nchotomy : thm
+ val betree_node_id_counter_t_11 : thm
+ val betree_node_id_counter_t_Axiom : thm
+ val betree_node_id_counter_t_accessors : thm
+ val betree_node_id_counter_t_accfupds : thm
+ val betree_node_id_counter_t_case_cong : thm
+ val betree_node_id_counter_t_case_eq : thm
+ val betree_node_id_counter_t_component_equality : thm
+ val betree_node_id_counter_t_fn_updates : thm
+ val betree_node_id_counter_t_fupdfupds : thm
+ val betree_node_id_counter_t_fupdfupds_comp : thm
+ val betree_node_id_counter_t_induction : thm
+ val betree_node_id_counter_t_literal_11 : thm
+ val betree_node_id_counter_t_literal_nchotomy : thm
+ val betree_node_id_counter_t_nchotomy : thm
+ val betree_node_id_counter_t_updates_eq_literal : thm
+ val betree_node_t_11 : thm
+ val betree_node_t_Axiom : thm
+ val betree_node_t_case_cong : thm
+ val betree_node_t_case_eq : thm
+ val betree_node_t_distinct : thm
+ val betree_node_t_induction : thm
+ val betree_node_t_nchotomy : thm
+ val betree_params_t_11 : thm
+ val betree_params_t_Axiom : thm
+ val betree_params_t_accessors : thm
+ val betree_params_t_accfupds : thm
+ val betree_params_t_case_cong : thm
+ val betree_params_t_case_eq : thm
+ val betree_params_t_component_equality : thm
+ val betree_params_t_fn_updates : thm
+ val betree_params_t_fupdcanon : thm
+ val betree_params_t_fupdcanon_comp : thm
+ val betree_params_t_fupdfupds : thm
+ val betree_params_t_fupdfupds_comp : thm
+ val betree_params_t_induction : thm
+ val betree_params_t_literal_11 : thm
+ val betree_params_t_literal_nchotomy : thm
+ val betree_params_t_nchotomy : thm
+ val betree_params_t_updates_eq_literal : thm
+ val betree_upsert_fun_state_t_11 : thm
+ val betree_upsert_fun_state_t_Axiom : thm
+ val betree_upsert_fun_state_t_case_cong : thm
+ val betree_upsert_fun_state_t_case_eq : thm
+ val betree_upsert_fun_state_t_distinct : thm
+ val betree_upsert_fun_state_t_induction : thm
+ val betree_upsert_fun_state_t_nchotomy : thm
+ val datatype_betree_be_tree_t : thm
+ val datatype_betree_leaf_t : thm
+ val datatype_betree_list_t : thm
+ val datatype_betree_message_t : thm
+ val datatype_betree_node_id_counter_t : thm
+ val datatype_betree_node_t : thm
+ val datatype_betree_params_t : thm
+ val datatype_betree_upsert_fun_state_t : thm
+
+ val betreeMain_Types_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [divDef] Parent theory of "betreeMain_Types"
+
+ [betree_be_tree_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('betree_be_tree_t').
+ (∀a0'.
+ (∃a0 a1 a2.
+ a0' =
+ (λa0 a1 a2.
+ ind_type$CONSTR 0 (a0,a1,a2)
+ (λn. ind_type$BOTTOM)) a0 a1 a2) ⇒
+ $var$('betree_be_tree_t') a0') ⇒
+ $var$('betree_be_tree_t') a0') rep
+
+ [betree_be_tree_t_case_def] Definition
+
+ ⊢ ∀a0 a1 a2 f.
+ betree_be_tree_t_CASE (betree_be_tree_t a0 a1 a2) f = f a0 a1 a2
+
+ [betree_be_tree_t_size_def] Definition
+
+ ⊢ ∀a0 a1 a2.
+ betree_be_tree_t_size (betree_be_tree_t a0 a1 a2) =
+ 1 +
+ (betree_params_t_size a0 +
+ (betree_node_id_counter_t_size a1 + betree_node_t_size a2))
+
+ [betree_internal_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa1'.
+ ∀ $var$('betree_node_t') $var$('betree_internal_t').
+ (∀a0'.
+ (∃a. a0' =
+ (λa.
+ ind_type$CONSTR 0 (ARB,ARB,ARB)
+ (ind_type$FCONS a (λn. ind_type$BOTTOM)))
+ a ∧ $var$('betree_internal_t') a) ∨
+ (∃a. a0' =
+ (λa.
+ ind_type$CONSTR (SUC 0) (a,ARB,ARB)
+ (λn. ind_type$BOTTOM)) a) ⇒
+ $var$('betree_node_t') a0') ∧
+ (∀a1'.
+ (∃a0 a1 a2 a3.
+ a1' =
+ (λa0 a1 a2 a3.
+ ind_type$CONSTR (SUC (SUC 0)) (ARB,a0,a1)
+ (ind_type$FCONS a2
+ (ind_type$FCONS a3 (λn. ind_type$BOTTOM))))
+ a0 a1 a2 a3 ∧ $var$('betree_node_t') a2 ∧
+ $var$('betree_node_t') a3) ⇒
+ $var$('betree_internal_t') a1') ⇒
+ $var$('betree_internal_t') a1') rep
+
+ [betree_internal_t_case_def] Definition
+
+ ⊢ ∀a0 a1 a2 a3 f.
+ betree_internal_t_CASE (betree_internal_t a0 a1 a2 a3) f =
+ f a0 a1 a2 a3
+
+ [betree_leaf_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('betree_leaf_t').
+ (∀a0'.
+ (∃a0 a1.
+ a0' =
+ (λa0 a1.
+ ind_type$CONSTR 0 (a0,a1)
+ (λn. ind_type$BOTTOM)) a0 a1) ⇒
+ $var$('betree_leaf_t') a0') ⇒
+ $var$('betree_leaf_t') a0') rep
+
+ [betree_leaf_t_case_def] Definition
+
+ ⊢ ∀a0 a1 f. betree_leaf_t_CASE (betree_leaf_t a0 a1) f = f a0 a1
+
+ [betree_leaf_t_size_def] Definition
+
+ ⊢ ∀a0 a1. betree_leaf_t_size (betree_leaf_t a0 a1) = 1
+
+ [betree_list_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('betree_list_t').
+ (∀a0'.
+ (∃a0 a1.
+ a0' =
+ (λa0 a1.
+ ind_type$CONSTR 0 a0
+ (ind_type$FCONS a1 (λn. ind_type$BOTTOM)))
+ a0 a1 ∧ $var$('betree_list_t') a1) ∨
+ a0' =
+ ind_type$CONSTR (SUC 0) ARB (λn. ind_type$BOTTOM) ⇒
+ $var$('betree_list_t') a0') ⇒
+ $var$('betree_list_t') a0') rep
+
+ [betree_list_t_case_def] Definition
+
+ ⊢ (∀a0 a1 f v.
+ betree_list_t_CASE (BetreeListCons a0 a1) f v = f a0 a1) ∧
+ ∀f v. betree_list_t_CASE BetreeListNil f v = v
+
+ [betree_list_t_size_def] Definition
+
+ ⊢ (∀f a0 a1.
+ betree_list_t_size f (BetreeListCons a0 a1) =
+ 1 + (f a0 + betree_list_t_size f a1)) ∧
+ ∀f. betree_list_t_size f BetreeListNil = 0
+
+ [betree_message_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0.
+ ∀ $var$('betree_message_t').
+ (∀a0.
+ (∃a. a0 =
+ (λa.
+ ind_type$CONSTR 0 (a,ARB)
+ (λn. ind_type$BOTTOM)) a) ∨
+ a0 =
+ ind_type$CONSTR (SUC 0) (ARB,ARB)
+ (λn. ind_type$BOTTOM) ∨
+ (∃a. a0 =
+ (λa.
+ ind_type$CONSTR (SUC (SUC 0)) (ARB,a)
+ (λn. ind_type$BOTTOM)) a) ⇒
+ $var$('betree_message_t') a0) ⇒
+ $var$('betree_message_t') a0) rep
+
+ [betree_message_t_case_def] Definition
+
+ ⊢ (∀a f v f1.
+ betree_message_t_CASE (BetreeMessageInsert a) f v f1 = f a) ∧
+ (∀f v f1. betree_message_t_CASE BetreeMessageDelete f v f1 = v) ∧
+ ∀a f v f1.
+ betree_message_t_CASE (BetreeMessageUpsert a) f v f1 = f1 a
+
+ [betree_message_t_size_def] Definition
+
+ ⊢ (∀a. betree_message_t_size (BetreeMessageInsert a) = 1) ∧
+ betree_message_t_size BetreeMessageDelete = 0 ∧
+ ∀a. betree_message_t_size (BetreeMessageUpsert a) =
+ 1 + betree_upsert_fun_state_t_size a
+
+ [betree_node_id_counter_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0.
+ ∀ $var$('betree_node_id_counter_t').
+ (∀a0.
+ (∃a. a0 =
+ (λa. ind_type$CONSTR 0 a (λn. ind_type$BOTTOM))
+ a) ⇒
+ $var$('betree_node_id_counter_t') a0) ⇒
+ $var$('betree_node_id_counter_t') a0) rep
+
+ [betree_node_id_counter_t_case_def] Definition
+
+ ⊢ ∀a f.
+ betree_node_id_counter_t_CASE (betree_node_id_counter_t a) f =
+ f a
+
+ [betree_node_id_counter_t_size_def] Definition
+
+ ⊢ ∀a. betree_node_id_counter_t_size (betree_node_id_counter_t a) = 1
+
+ [betree_node_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('betree_node_t') $var$('betree_internal_t').
+ (∀a0'.
+ (∃a. a0' =
+ (λa.
+ ind_type$CONSTR 0 (ARB,ARB,ARB)
+ (ind_type$FCONS a (λn. ind_type$BOTTOM)))
+ a ∧ $var$('betree_internal_t') a) ∨
+ (∃a. a0' =
+ (λa.
+ ind_type$CONSTR (SUC 0) (a,ARB,ARB)
+ (λn. ind_type$BOTTOM)) a) ⇒
+ $var$('betree_node_t') a0') ∧
+ (∀a1'.
+ (∃a0 a1 a2 a3.
+ a1' =
+ (λa0 a1 a2 a3.
+ ind_type$CONSTR (SUC (SUC 0)) (ARB,a0,a1)
+ (ind_type$FCONS a2
+ (ind_type$FCONS a3 (λn. ind_type$BOTTOM))))
+ a0 a1 a2 a3 ∧ $var$('betree_node_t') a2 ∧
+ $var$('betree_node_t') a3) ⇒
+ $var$('betree_internal_t') a1') ⇒
+ $var$('betree_node_t') a0') rep
+
+ [betree_node_t_case_def] Definition
+
+ ⊢ (∀a f f1. betree_node_t_CASE (BetreeNodeInternal a) f f1 = f a) ∧
+ ∀a f f1. betree_node_t_CASE (BetreeNodeLeaf a) f f1 = f1 a
+
+ [betree_node_t_size_def] Definition
+
+ ⊢ (∀a. betree_node_t_size (BetreeNodeInternal a) =
+ 1 + betree_internal_t_size a) ∧
+ (∀a. betree_node_t_size (BetreeNodeLeaf a) =
+ 1 + betree_leaf_t_size a) ∧
+ ∀a0 a1 a2 a3.
+ betree_internal_t_size (betree_internal_t a0 a1 a2 a3) =
+ 1 + (betree_node_t_size a2 + betree_node_t_size a3)
+
+ [betree_params_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('betree_params_t').
+ (∀a0'.
+ (∃a0 a1.
+ a0' =
+ (λa0 a1.
+ ind_type$CONSTR 0 (a0,a1)
+ (λn. ind_type$BOTTOM)) a0 a1) ⇒
+ $var$('betree_params_t') a0') ⇒
+ $var$('betree_params_t') a0') rep
+
+ [betree_params_t_case_def] Definition
+
+ ⊢ ∀a0 a1 f. betree_params_t_CASE (betree_params_t a0 a1) f = f a0 a1
+
+ [betree_params_t_size_def] Definition
+
+ ⊢ ∀a0 a1. betree_params_t_size (betree_params_t a0 a1) = 1
+
+ [betree_upsert_fun_state_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0.
+ ∀ $var$('betree_upsert_fun_state_t').
+ (∀a0.
+ (∃a. a0 =
+ (λa. ind_type$CONSTR 0 a (λn. ind_type$BOTTOM))
+ a) ∨
+ (∃a. a0 =
+ (λa.
+ ind_type$CONSTR (SUC 0) a
+ (λn. ind_type$BOTTOM)) a) ⇒
+ $var$('betree_upsert_fun_state_t') a0) ⇒
+ $var$('betree_upsert_fun_state_t') a0) rep
+
+ [betree_upsert_fun_state_t_case_def] Definition
+
+ ⊢ (∀a f f1.
+ betree_upsert_fun_state_t_CASE (BetreeUpsertFunStateAdd a) f f1 =
+ f a) ∧
+ ∀a f f1.
+ betree_upsert_fun_state_t_CASE (BetreeUpsertFunStateSub a) f f1 =
+ f1 a
+
+ [betree_upsert_fun_state_t_size_def] Definition
+
+ ⊢ (∀a. betree_upsert_fun_state_t_size (BetreeUpsertFunStateAdd a) = 1) ∧
+ ∀a. betree_upsert_fun_state_t_size (BetreeUpsertFunStateSub a) = 1
+
+ [recordtype_betree_be_tree_t_seldef_betree_be_tree_node_id_cnt_def] Definition
+
+ ⊢ ∀b b0 b1.
+ (betree_be_tree_t b b0 b1).betree_be_tree_node_id_cnt = b0
+
+ [recordtype_betree_be_tree_t_seldef_betree_be_tree_node_id_cnt_fupd_def] Definition
+
+ ⊢ ∀f b b0 b1.
+ betree_be_tree_t b b0 b1 with
+ betree_be_tree_node_id_cnt updated_by f =
+ betree_be_tree_t b (f b0) b1
+
+ [recordtype_betree_be_tree_t_seldef_betree_be_tree_params_def] Definition
+
+ ⊢ ∀b b0 b1. (betree_be_tree_t b b0 b1).betree_be_tree_params = b
+
+ [recordtype_betree_be_tree_t_seldef_betree_be_tree_params_fupd_def] Definition
+
+ ⊢ ∀f b b0 b1.
+ betree_be_tree_t b b0 b1 with betree_be_tree_params updated_by f =
+ betree_be_tree_t (f b) b0 b1
+
+ [recordtype_betree_be_tree_t_seldef_betree_be_tree_root_def] Definition
+
+ ⊢ ∀b b0 b1. (betree_be_tree_t b b0 b1).betree_be_tree_root = b1
+
+ [recordtype_betree_be_tree_t_seldef_betree_be_tree_root_fupd_def] Definition
+
+ ⊢ ∀f b b0 b1.
+ betree_be_tree_t b b0 b1 with betree_be_tree_root updated_by f =
+ betree_be_tree_t b b0 (f b1)
+
+ [recordtype_betree_internal_t_seldef_betree_internal_id_def] Definition
+
+ ⊢ ∀u u0 b b0. (betree_internal_t u u0 b b0).betree_internal_id = u
+
+ [recordtype_betree_internal_t_seldef_betree_internal_id_fupd_def] Definition
+
+ ⊢ ∀f u u0 b b0.
+ betree_internal_t u u0 b b0 with betree_internal_id updated_by f =
+ betree_internal_t (f u) u0 b b0
+
+ [recordtype_betree_internal_t_seldef_betree_internal_left_def] Definition
+
+ ⊢ ∀u u0 b b0. (betree_internal_t u u0 b b0).betree_internal_left = b
+
+ [recordtype_betree_internal_t_seldef_betree_internal_left_fupd_def] Definition
+
+ ⊢ ∀f u u0 b b0.
+ betree_internal_t u u0 b b0 with
+ betree_internal_left updated_by f =
+ betree_internal_t u u0 (f b) b0
+
+ [recordtype_betree_internal_t_seldef_betree_internal_pivot_def] Definition
+
+ ⊢ ∀u u0 b b0.
+ (betree_internal_t u u0 b b0).betree_internal_pivot = u0
+
+ [recordtype_betree_internal_t_seldef_betree_internal_pivot_fupd_def] Definition
+
+ ⊢ ∀f u u0 b b0.
+ betree_internal_t u u0 b b0 with
+ betree_internal_pivot updated_by f =
+ betree_internal_t u (f u0) b b0
+
+ [recordtype_betree_internal_t_seldef_betree_internal_right_def] Definition
+
+ ⊢ ∀u u0 b b0.
+ (betree_internal_t u u0 b b0).betree_internal_right = b0
+
+ [recordtype_betree_internal_t_seldef_betree_internal_right_fupd_def] Definition
+
+ ⊢ ∀f u u0 b b0.
+ betree_internal_t u u0 b b0 with
+ betree_internal_right updated_by f =
+ betree_internal_t u u0 b (f b0)
+
+ [recordtype_betree_leaf_t_seldef_betree_leaf_id_def] Definition
+
+ ⊢ ∀u u0. (betree_leaf_t u u0).betree_leaf_id = u
+
+ [recordtype_betree_leaf_t_seldef_betree_leaf_id_fupd_def] Definition
+
+ ⊢ ∀f u u0.
+ betree_leaf_t u u0 with betree_leaf_id updated_by f =
+ betree_leaf_t (f u) u0
+
+ [recordtype_betree_leaf_t_seldef_betree_leaf_size_def] Definition
+
+ ⊢ ∀u u0. (betree_leaf_t u u0).betree_leaf_size = u0
+
+ [recordtype_betree_leaf_t_seldef_betree_leaf_size_fupd_def] Definition
+
+ ⊢ ∀f u u0.
+ betree_leaf_t u u0 with betree_leaf_size updated_by f =
+ betree_leaf_t u (f u0)
+
+ [recordtype_betree_node_id_counter_t_seldef_betree_node_id_counter_next_node_id_def] Definition
+
+ ⊢ ∀u. (betree_node_id_counter_t u).
+ betree_node_id_counter_next_node_id =
+ u
+
+ [recordtype_betree_node_id_counter_t_seldef_betree_node_id_counter_next_node_id_fupd_def] Definition
+
+ ⊢ ∀f u.
+ betree_node_id_counter_t u with
+ betree_node_id_counter_next_node_id updated_by f =
+ betree_node_id_counter_t (f u)
+
+ [recordtype_betree_params_t_seldef_betree_params_min_flush_size_def] Definition
+
+ ⊢ ∀u u0. (betree_params_t u u0).betree_params_min_flush_size = u
+
+ [recordtype_betree_params_t_seldef_betree_params_min_flush_size_fupd_def] Definition
+
+ ⊢ ∀f u u0.
+ betree_params_t u u0 with
+ betree_params_min_flush_size updated_by f =
+ betree_params_t (f u) u0
+
+ [recordtype_betree_params_t_seldef_betree_params_split_size_def] Definition
+
+ ⊢ ∀u u0. (betree_params_t u u0).betree_params_split_size = u0
+
+ [recordtype_betree_params_t_seldef_betree_params_split_size_fupd_def] Definition
+
+ ⊢ ∀f u u0.
+ betree_params_t u u0 with betree_params_split_size updated_by f =
+ betree_params_t u (f u0)
+
+ [EXISTS_betree_be_tree_t] Theorem
+
+ ⊢ ∀P. (∃b. P b) ⇔
+ ∃b2 b1 b0.
+ P
+ <|betree_be_tree_params := b2;
+ betree_be_tree_node_id_cnt := b1;
+ betree_be_tree_root := b0|>
+
+ [EXISTS_betree_internal_t] Theorem
+
+ ⊢ ∀P. (∃b. P b) ⇔
+ ∃u0 u b1 b0.
+ P
+ <|betree_internal_id := u0; betree_internal_pivot := u;
+ betree_internal_left := b1; betree_internal_right := b0|>
+
+ [EXISTS_betree_leaf_t] Theorem
+
+ ⊢ ∀P. (∃b. P b) ⇔
+ ∃u0 u. P <|betree_leaf_id := u0; betree_leaf_size := u|>
+
+ [EXISTS_betree_node_id_counter_t] Theorem
+
+ ⊢ ∀P. (∃b. P b) ⇔ ∃u. P <|betree_node_id_counter_next_node_id := u|>
+
+ [EXISTS_betree_params_t] Theorem
+
+ ⊢ ∀P. (∃b. P b) ⇔
+ ∃u0 u.
+ P
+ <|betree_params_min_flush_size := u0;
+ betree_params_split_size := u|>
+
+ [FORALL_betree_be_tree_t] Theorem
+
+ ⊢ ∀P. (∀b. P b) ⇔
+ ∀b2 b1 b0.
+ P
+ <|betree_be_tree_params := b2;
+ betree_be_tree_node_id_cnt := b1;
+ betree_be_tree_root := b0|>
+
+ [FORALL_betree_internal_t] Theorem
+
+ ⊢ ∀P. (∀b. P b) ⇔
+ ∀u0 u b1 b0.
+ P
+ <|betree_internal_id := u0; betree_internal_pivot := u;
+ betree_internal_left := b1; betree_internal_right := b0|>
+
+ [FORALL_betree_leaf_t] Theorem
+
+ ⊢ ∀P. (∀b. P b) ⇔
+ ∀u0 u. P <|betree_leaf_id := u0; betree_leaf_size := u|>
+
+ [FORALL_betree_node_id_counter_t] Theorem
+
+ ⊢ ∀P. (∀b. P b) ⇔ ∀u. P <|betree_node_id_counter_next_node_id := u|>
+
+ [FORALL_betree_params_t] Theorem
+
+ ⊢ ∀P. (∀b. P b) ⇔
+ ∀u0 u.
+ P
+ <|betree_params_min_flush_size := u0;
+ betree_params_split_size := u|>
+
+ [betree_be_tree_t_11] Theorem
+
+ ⊢ ∀a0 a1 a2 a0' a1' a2'.
+ betree_be_tree_t a0 a1 a2 = betree_be_tree_t a0' a1' a2' ⇔
+ a0 = a0' ∧ a1 = a1' ∧ a2 = a2'
+
+ [betree_be_tree_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a0 a1 a2. fn (betree_be_tree_t a0 a1 a2) = f a0 a1 a2
+
+ [betree_be_tree_t_accessors] Theorem
+
+ ⊢ (∀b b0 b1. (betree_be_tree_t b b0 b1).betree_be_tree_params = b) ∧
+ (∀b b0 b1.
+ (betree_be_tree_t b b0 b1).betree_be_tree_node_id_cnt = b0) ∧
+ ∀b b0 b1. (betree_be_tree_t b b0 b1).betree_be_tree_root = b1
+
+ [betree_be_tree_t_accfupds] Theorem
+
+ ⊢ (∀f b.
+ (b with betree_be_tree_node_id_cnt updated_by f).
+ betree_be_tree_params =
+ b.betree_be_tree_params) ∧
+ (∀f b.
+ (b with betree_be_tree_root updated_by f).betree_be_tree_params =
+ b.betree_be_tree_params) ∧
+ (∀f b.
+ (b with betree_be_tree_params updated_by f).
+ betree_be_tree_node_id_cnt =
+ b.betree_be_tree_node_id_cnt) ∧
+ (∀f b.
+ (b with betree_be_tree_root updated_by f).
+ betree_be_tree_node_id_cnt =
+ b.betree_be_tree_node_id_cnt) ∧
+ (∀f b.
+ (b with betree_be_tree_params updated_by f).betree_be_tree_root =
+ b.betree_be_tree_root) ∧
+ (∀f b.
+ (b with betree_be_tree_node_id_cnt updated_by f).
+ betree_be_tree_root =
+ b.betree_be_tree_root) ∧
+ (∀f b.
+ (b with betree_be_tree_params updated_by f).
+ betree_be_tree_params =
+ f b.betree_be_tree_params) ∧
+ (∀f b.
+ (b with betree_be_tree_node_id_cnt updated_by f).
+ betree_be_tree_node_id_cnt =
+ f b.betree_be_tree_node_id_cnt) ∧
+ ∀f b.
+ (b with betree_be_tree_root updated_by f).betree_be_tree_root =
+ f b.betree_be_tree_root
+
+ [betree_be_tree_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧
+ (∀a0 a1 a2.
+ M' = betree_be_tree_t a0 a1 a2 ⇒ f a0 a1 a2 = f' a0 a1 a2) ⇒
+ betree_be_tree_t_CASE M f = betree_be_tree_t_CASE M' f'
+
+ [betree_be_tree_t_case_eq] Theorem
+
+ ⊢ betree_be_tree_t_CASE x f = v ⇔
+ ∃b b0 b1. x = betree_be_tree_t b b0 b1 ∧ f b b0 b1 = v
+
+ [betree_be_tree_t_component_equality] Theorem
+
+ ⊢ ∀b1 b2.
+ b1 = b2 ⇔
+ b1.betree_be_tree_params = b2.betree_be_tree_params ∧
+ b1.betree_be_tree_node_id_cnt = b2.betree_be_tree_node_id_cnt ∧
+ b1.betree_be_tree_root = b2.betree_be_tree_root
+
+ [betree_be_tree_t_fn_updates] Theorem
+
+ ⊢ (∀f b b0 b1.
+ betree_be_tree_t b b0 b1 with betree_be_tree_params updated_by f =
+ betree_be_tree_t (f b) b0 b1) ∧
+ (∀f b b0 b1.
+ betree_be_tree_t b b0 b1 with
+ betree_be_tree_node_id_cnt updated_by f =
+ betree_be_tree_t b (f b0) b1) ∧
+ ∀f b b0 b1.
+ betree_be_tree_t b b0 b1 with betree_be_tree_root updated_by f =
+ betree_be_tree_t b b0 (f b1)
+
+ [betree_be_tree_t_fupdcanon] Theorem
+
+ ⊢ (∀g f b.
+ b with
+ <|betree_be_tree_node_id_cnt updated_by f;
+ betree_be_tree_params updated_by g|> =
+ b with
+ <|betree_be_tree_params updated_by g;
+ betree_be_tree_node_id_cnt updated_by f|>) ∧
+ (∀g f b.
+ b with
+ <|betree_be_tree_root updated_by f;
+ betree_be_tree_params updated_by g|> =
+ b with
+ <|betree_be_tree_params updated_by g;
+ betree_be_tree_root updated_by f|>) ∧
+ ∀g f b.
+ b with
+ <|betree_be_tree_root updated_by f;
+ betree_be_tree_node_id_cnt updated_by g|> =
+ b with
+ <|betree_be_tree_node_id_cnt updated_by g;
+ betree_be_tree_root updated_by f|>
+
+ [betree_be_tree_t_fupdcanon_comp] Theorem
+
+ ⊢ ((∀g f.
+ betree_be_tree_node_id_cnt_fupd f ∘
+ betree_be_tree_params_fupd g =
+ betree_be_tree_params_fupd g ∘
+ betree_be_tree_node_id_cnt_fupd f) ∧
+ ∀h g f.
+ betree_be_tree_node_id_cnt_fupd f ∘
+ betree_be_tree_params_fupd g ∘ h =
+ betree_be_tree_params_fupd g ∘
+ betree_be_tree_node_id_cnt_fupd f ∘ h) ∧
+ ((∀g f.
+ betree_be_tree_root_fupd f ∘ betree_be_tree_params_fupd g =
+ betree_be_tree_params_fupd g ∘ betree_be_tree_root_fupd f) ∧
+ ∀h g f.
+ betree_be_tree_root_fupd f ∘ betree_be_tree_params_fupd g ∘ h =
+ betree_be_tree_params_fupd g ∘ betree_be_tree_root_fupd f ∘ h) ∧
+ (∀g f.
+ betree_be_tree_root_fupd f ∘ betree_be_tree_node_id_cnt_fupd g =
+ betree_be_tree_node_id_cnt_fupd g ∘ betree_be_tree_root_fupd f) ∧
+ ∀h g f.
+ betree_be_tree_root_fupd f ∘ betree_be_tree_node_id_cnt_fupd g ∘
+ h =
+ betree_be_tree_node_id_cnt_fupd g ∘ betree_be_tree_root_fupd f ∘
+ h
+
+ [betree_be_tree_t_fupdfupds] Theorem
+
+ ⊢ (∀g f b.
+ b with
+ <|betree_be_tree_params updated_by f;
+ betree_be_tree_params updated_by g|> =
+ b with betree_be_tree_params updated_by f ∘ g) ∧
+ (∀g f b.
+ b with
+ <|betree_be_tree_node_id_cnt updated_by f;
+ betree_be_tree_node_id_cnt updated_by g|> =
+ b with betree_be_tree_node_id_cnt updated_by f ∘ g) ∧
+ ∀g f b.
+ b with
+ <|betree_be_tree_root updated_by f;
+ betree_be_tree_root updated_by g|> =
+ b with betree_be_tree_root updated_by f ∘ g
+
+ [betree_be_tree_t_fupdfupds_comp] Theorem
+
+ ⊢ ((∀g f.
+ betree_be_tree_params_fupd f ∘ betree_be_tree_params_fupd g =
+ betree_be_tree_params_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_be_tree_params_fupd f ∘ betree_be_tree_params_fupd g ∘ h =
+ betree_be_tree_params_fupd (f ∘ g) ∘ h) ∧
+ ((∀g f.
+ betree_be_tree_node_id_cnt_fupd f ∘
+ betree_be_tree_node_id_cnt_fupd g =
+ betree_be_tree_node_id_cnt_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_be_tree_node_id_cnt_fupd f ∘
+ betree_be_tree_node_id_cnt_fupd g ∘ h =
+ betree_be_tree_node_id_cnt_fupd (f ∘ g) ∘ h) ∧
+ (∀g f.
+ betree_be_tree_root_fupd f ∘ betree_be_tree_root_fupd g =
+ betree_be_tree_root_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_be_tree_root_fupd f ∘ betree_be_tree_root_fupd g ∘ h =
+ betree_be_tree_root_fupd (f ∘ g) ∘ h
+
+ [betree_be_tree_t_induction] Theorem
+
+ ⊢ ∀P. (∀b b0 b1. P (betree_be_tree_t b b0 b1)) ⇒ ∀b. P b
+
+ [betree_be_tree_t_literal_11] Theorem
+
+ ⊢ ∀b21 b11 b01 b22 b12 b02.
+ <|betree_be_tree_params := b21;
+ betree_be_tree_node_id_cnt := b11; betree_be_tree_root := b01|> =
+ <|betree_be_tree_params := b22;
+ betree_be_tree_node_id_cnt := b12; betree_be_tree_root := b02|> ⇔
+ b21 = b22 ∧ b11 = b12 ∧ b01 = b02
+
+ [betree_be_tree_t_literal_nchotomy] Theorem
+
+ ⊢ ∀b. ∃b2 b1 b0.
+ b =
+ <|betree_be_tree_params := b2; betree_be_tree_node_id_cnt := b1;
+ betree_be_tree_root := b0|>
+
+ [betree_be_tree_t_nchotomy] Theorem
+
+ ⊢ ∀bb. ∃b b0 b1. bb = betree_be_tree_t b b0 b1
+
+ [betree_be_tree_t_updates_eq_literal] Theorem
+
+ ⊢ ∀b b2 b1 b0.
+ b with
+ <|betree_be_tree_params := b2; betree_be_tree_node_id_cnt := b1;
+ betree_be_tree_root := b0|> =
+ <|betree_be_tree_params := b2; betree_be_tree_node_id_cnt := b1;
+ betree_be_tree_root := b0|>
+
+ [betree_internal_t_11] Theorem
+
+ ⊢ ∀a0 a1 a2 a3 a0' a1' a2' a3'.
+ betree_internal_t a0 a1 a2 a3 = betree_internal_t a0' a1' a2' a3' ⇔
+ a0 = a0' ∧ a1 = a1' ∧ a2 = a2' ∧ a3 = a3'
+
+ [betree_internal_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1 f2. ∃fn0 fn1.
+ (∀a. fn0 (BetreeNodeInternal a) = f0 a (fn1 a)) ∧
+ (∀a. fn0 (BetreeNodeLeaf a) = f1 a) ∧
+ ∀a0 a1 a2 a3.
+ fn1 (betree_internal_t a0 a1 a2 a3) =
+ f2 a0 a1 a2 a3 (fn0 a2) (fn0 a3)
+
+ [betree_internal_t_accessors] Theorem
+
+ ⊢ (∀u u0 b b0. (betree_internal_t u u0 b b0).betree_internal_id = u) ∧
+ (∀u u0 b b0.
+ (betree_internal_t u u0 b b0).betree_internal_pivot = u0) ∧
+ (∀u u0 b b0. (betree_internal_t u u0 b b0).betree_internal_left = b) ∧
+ ∀u u0 b b0.
+ (betree_internal_t u u0 b b0).betree_internal_right = b0
+
+ [betree_internal_t_accfupds] Theorem
+
+ ⊢ (∀f b.
+ (b with betree_internal_pivot updated_by f).betree_internal_id =
+ b.betree_internal_id) ∧
+ (∀f b.
+ (b with betree_internal_left updated_by f).betree_internal_id =
+ b.betree_internal_id) ∧
+ (∀f b.
+ (b with betree_internal_right updated_by f).betree_internal_id =
+ b.betree_internal_id) ∧
+ (∀f b.
+ (b with betree_internal_id updated_by f).betree_internal_pivot =
+ b.betree_internal_pivot) ∧
+ (∀f b.
+ (b with betree_internal_left updated_by f).betree_internal_pivot =
+ b.betree_internal_pivot) ∧
+ (∀f b.
+ (b with betree_internal_right updated_by f).
+ betree_internal_pivot =
+ b.betree_internal_pivot) ∧
+ (∀f b.
+ (b with betree_internal_id updated_by f).betree_internal_left =
+ b.betree_internal_left) ∧
+ (∀f b.
+ (b with betree_internal_pivot updated_by f).betree_internal_left =
+ b.betree_internal_left) ∧
+ (∀f b.
+ (b with betree_internal_right updated_by f).betree_internal_left =
+ b.betree_internal_left) ∧
+ (∀f b.
+ (b with betree_internal_id updated_by f).betree_internal_right =
+ b.betree_internal_right) ∧
+ (∀f b.
+ (b with betree_internal_pivot updated_by f).
+ betree_internal_right =
+ b.betree_internal_right) ∧
+ (∀f b.
+ (b with betree_internal_left updated_by f).betree_internal_right =
+ b.betree_internal_right) ∧
+ (∀f b.
+ (b with betree_internal_id updated_by f).betree_internal_id =
+ f b.betree_internal_id) ∧
+ (∀f b.
+ (b with betree_internal_pivot updated_by f).
+ betree_internal_pivot =
+ f b.betree_internal_pivot) ∧
+ (∀f b.
+ (b with betree_internal_left updated_by f).betree_internal_left =
+ f b.betree_internal_left) ∧
+ ∀f b.
+ (b with betree_internal_right updated_by f).betree_internal_right =
+ f b.betree_internal_right
+
+ [betree_internal_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧
+ (∀a0 a1 a2 a3.
+ M' = betree_internal_t a0 a1 a2 a3 ⇒
+ f a0 a1 a2 a3 = f' a0 a1 a2 a3) ⇒
+ betree_internal_t_CASE M f = betree_internal_t_CASE M' f'
+
+ [betree_internal_t_case_eq] Theorem
+
+ ⊢ betree_internal_t_CASE x f = v ⇔
+ ∃u0 u b b0. x = betree_internal_t u0 u b b0 ∧ f u0 u b b0 = v
+
+ [betree_internal_t_component_equality] Theorem
+
+ ⊢ ∀b1 b2.
+ b1 = b2 ⇔
+ b1.betree_internal_id = b2.betree_internal_id ∧
+ b1.betree_internal_pivot = b2.betree_internal_pivot ∧
+ b1.betree_internal_left = b2.betree_internal_left ∧
+ b1.betree_internal_right = b2.betree_internal_right
+
+ [betree_internal_t_fn_updates] Theorem
+
+ ⊢ (∀f u u0 b b0.
+ betree_internal_t u u0 b b0 with betree_internal_id updated_by f =
+ betree_internal_t (f u) u0 b b0) ∧
+ (∀f u u0 b b0.
+ betree_internal_t u u0 b b0 with
+ betree_internal_pivot updated_by f =
+ betree_internal_t u (f u0) b b0) ∧
+ (∀f u u0 b b0.
+ betree_internal_t u u0 b b0 with
+ betree_internal_left updated_by f =
+ betree_internal_t u u0 (f b) b0) ∧
+ ∀f u u0 b b0.
+ betree_internal_t u u0 b b0 with
+ betree_internal_right updated_by f =
+ betree_internal_t u u0 b (f b0)
+
+ [betree_internal_t_fupdcanon] Theorem
+
+ ⊢ (∀g f b.
+ b with
+ <|betree_internal_pivot updated_by f;
+ betree_internal_id updated_by g|> =
+ b with
+ <|betree_internal_id updated_by g;
+ betree_internal_pivot updated_by f|>) ∧
+ (∀g f b.
+ b with
+ <|betree_internal_left updated_by f;
+ betree_internal_id updated_by g|> =
+ b with
+ <|betree_internal_id updated_by g;
+ betree_internal_left updated_by f|>) ∧
+ (∀g f b.
+ b with
+ <|betree_internal_left updated_by f;
+ betree_internal_pivot updated_by g|> =
+ b with
+ <|betree_internal_pivot updated_by g;
+ betree_internal_left updated_by f|>) ∧
+ (∀g f b.
+ b with
+ <|betree_internal_right updated_by f;
+ betree_internal_id updated_by g|> =
+ b with
+ <|betree_internal_id updated_by g;
+ betree_internal_right updated_by f|>) ∧
+ (∀g f b.
+ b with
+ <|betree_internal_right updated_by f;
+ betree_internal_pivot updated_by g|> =
+ b with
+ <|betree_internal_pivot updated_by g;
+ betree_internal_right updated_by f|>) ∧
+ ∀g f b.
+ b with
+ <|betree_internal_right updated_by f;
+ betree_internal_left updated_by g|> =
+ b with
+ <|betree_internal_left updated_by g;
+ betree_internal_right updated_by f|>
+
+ [betree_internal_t_fupdcanon_comp] Theorem
+
+ ⊢ ((∀g f.
+ betree_internal_pivot_fupd f ∘ betree_internal_id_fupd g =
+ betree_internal_id_fupd g ∘ betree_internal_pivot_fupd f) ∧
+ ∀h g f.
+ betree_internal_pivot_fupd f ∘ betree_internal_id_fupd g ∘ h =
+ betree_internal_id_fupd g ∘ betree_internal_pivot_fupd f ∘ h) ∧
+ ((∀g f.
+ betree_internal_left_fupd f ∘ betree_internal_id_fupd g =
+ betree_internal_id_fupd g ∘ betree_internal_left_fupd f) ∧
+ ∀h g f.
+ betree_internal_left_fupd f ∘ betree_internal_id_fupd g ∘ h =
+ betree_internal_id_fupd g ∘ betree_internal_left_fupd f ∘ h) ∧
+ ((∀g f.
+ betree_internal_left_fupd f ∘ betree_internal_pivot_fupd g =
+ betree_internal_pivot_fupd g ∘ betree_internal_left_fupd f) ∧
+ ∀h g f.
+ betree_internal_left_fupd f ∘ betree_internal_pivot_fupd g ∘ h =
+ betree_internal_pivot_fupd g ∘ betree_internal_left_fupd f ∘ h) ∧
+ ((∀g f.
+ betree_internal_right_fupd f ∘ betree_internal_id_fupd g =
+ betree_internal_id_fupd g ∘ betree_internal_right_fupd f) ∧
+ ∀h g f.
+ betree_internal_right_fupd f ∘ betree_internal_id_fupd g ∘ h =
+ betree_internal_id_fupd g ∘ betree_internal_right_fupd f ∘ h) ∧
+ ((∀g f.
+ betree_internal_right_fupd f ∘ betree_internal_pivot_fupd g =
+ betree_internal_pivot_fupd g ∘ betree_internal_right_fupd f) ∧
+ ∀h g f.
+ betree_internal_right_fupd f ∘ betree_internal_pivot_fupd g ∘ h =
+ betree_internal_pivot_fupd g ∘ betree_internal_right_fupd f ∘ h) ∧
+ (∀g f.
+ betree_internal_right_fupd f ∘ betree_internal_left_fupd g =
+ betree_internal_left_fupd g ∘ betree_internal_right_fupd f) ∧
+ ∀h g f.
+ betree_internal_right_fupd f ∘ betree_internal_left_fupd g ∘ h =
+ betree_internal_left_fupd g ∘ betree_internal_right_fupd f ∘ h
+
+ [betree_internal_t_fupdfupds] Theorem
+
+ ⊢ (∀g f b.
+ b with
+ <|betree_internal_id updated_by f;
+ betree_internal_id updated_by g|> =
+ b with betree_internal_id updated_by f ∘ g) ∧
+ (∀g f b.
+ b with
+ <|betree_internal_pivot updated_by f;
+ betree_internal_pivot updated_by g|> =
+ b with betree_internal_pivot updated_by f ∘ g) ∧
+ (∀g f b.
+ b with
+ <|betree_internal_left updated_by f;
+ betree_internal_left updated_by g|> =
+ b with betree_internal_left updated_by f ∘ g) ∧
+ ∀g f b.
+ b with
+ <|betree_internal_right updated_by f;
+ betree_internal_right updated_by g|> =
+ b with betree_internal_right updated_by f ∘ g
+
+ [betree_internal_t_fupdfupds_comp] Theorem
+
+ ⊢ ((∀g f.
+ betree_internal_id_fupd f ∘ betree_internal_id_fupd g =
+ betree_internal_id_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_internal_id_fupd f ∘ betree_internal_id_fupd g ∘ h =
+ betree_internal_id_fupd (f ∘ g) ∘ h) ∧
+ ((∀g f.
+ betree_internal_pivot_fupd f ∘ betree_internal_pivot_fupd g =
+ betree_internal_pivot_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_internal_pivot_fupd f ∘ betree_internal_pivot_fupd g ∘ h =
+ betree_internal_pivot_fupd (f ∘ g) ∘ h) ∧
+ ((∀g f.
+ betree_internal_left_fupd f ∘ betree_internal_left_fupd g =
+ betree_internal_left_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_internal_left_fupd f ∘ betree_internal_left_fupd g ∘ h =
+ betree_internal_left_fupd (f ∘ g) ∘ h) ∧
+ (∀g f.
+ betree_internal_right_fupd f ∘ betree_internal_right_fupd g =
+ betree_internal_right_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_internal_right_fupd f ∘ betree_internal_right_fupd g ∘ h =
+ betree_internal_right_fupd (f ∘ g) ∘ h
+
+ [betree_internal_t_induction] Theorem
+
+ ⊢ ∀P0 P1.
+ (∀b. P1 b ⇒ P0 (BetreeNodeInternal b)) ∧
+ (∀b. P0 (BetreeNodeLeaf b)) ∧
+ (∀b b0. P0 b ∧ P0 b0 ⇒ ∀u u0. P1 (betree_internal_t u0 u b b0)) ⇒
+ (∀b. P0 b) ∧ ∀b. P1 b
+
+ [betree_internal_t_literal_11] Theorem
+
+ ⊢ ∀u01 u1 b11 b01 u02 u2 b12 b02.
+ <|betree_internal_id := u01; betree_internal_pivot := u1;
+ betree_internal_left := b11; betree_internal_right := b01|> =
+ <|betree_internal_id := u02; betree_internal_pivot := u2;
+ betree_internal_left := b12; betree_internal_right := b02|> ⇔
+ u01 = u02 ∧ u1 = u2 ∧ b11 = b12 ∧ b01 = b02
+
+ [betree_internal_t_literal_nchotomy] Theorem
+
+ ⊢ ∀b. ∃u0 u b1 b0.
+ b =
+ <|betree_internal_id := u0; betree_internal_pivot := u;
+ betree_internal_left := b1; betree_internal_right := b0|>
+
+ [betree_internal_t_nchotomy] Theorem
+
+ ⊢ ∀bb. ∃u0 u b b0. bb = betree_internal_t u0 u b b0
+
+ [betree_internal_t_updates_eq_literal] Theorem
+
+ ⊢ ∀b u0 u b1 b0.
+ b with
+ <|betree_internal_id := u0; betree_internal_pivot := u;
+ betree_internal_left := b1; betree_internal_right := b0|> =
+ <|betree_internal_id := u0; betree_internal_pivot := u;
+ betree_internal_left := b1; betree_internal_right := b0|>
+
+ [betree_leaf_t_11] Theorem
+
+ ⊢ ∀a0 a1 a0' a1'.
+ betree_leaf_t a0 a1 = betree_leaf_t a0' a1' ⇔ a0 = a0' ∧ a1 = a1'
+
+ [betree_leaf_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a0 a1. fn (betree_leaf_t a0 a1) = f a0 a1
+
+ [betree_leaf_t_accessors] Theorem
+
+ ⊢ (∀u u0. (betree_leaf_t u u0).betree_leaf_id = u) ∧
+ ∀u u0. (betree_leaf_t u u0).betree_leaf_size = u0
+
+ [betree_leaf_t_accfupds] Theorem
+
+ ⊢ (∀f b.
+ (b with betree_leaf_size updated_by f).betree_leaf_id =
+ b.betree_leaf_id) ∧
+ (∀f b.
+ (b with betree_leaf_id updated_by f).betree_leaf_size =
+ b.betree_leaf_size) ∧
+ (∀f b.
+ (b with betree_leaf_id updated_by f).betree_leaf_id =
+ f b.betree_leaf_id) ∧
+ ∀f b.
+ (b with betree_leaf_size updated_by f).betree_leaf_size =
+ f b.betree_leaf_size
+
+ [betree_leaf_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧ (∀a0 a1. M' = betree_leaf_t a0 a1 ⇒ f a0 a1 = f' a0 a1) ⇒
+ betree_leaf_t_CASE M f = betree_leaf_t_CASE M' f'
+
+ [betree_leaf_t_case_eq] Theorem
+
+ ⊢ betree_leaf_t_CASE x f = v ⇔
+ ∃u u0. x = betree_leaf_t u u0 ∧ f u u0 = v
+
+ [betree_leaf_t_component_equality] Theorem
+
+ ⊢ ∀b1 b2.
+ b1 = b2 ⇔
+ b1.betree_leaf_id = b2.betree_leaf_id ∧
+ b1.betree_leaf_size = b2.betree_leaf_size
+
+ [betree_leaf_t_fn_updates] Theorem
+
+ ⊢ (∀f u u0.
+ betree_leaf_t u u0 with betree_leaf_id updated_by f =
+ betree_leaf_t (f u) u0) ∧
+ ∀f u u0.
+ betree_leaf_t u u0 with betree_leaf_size updated_by f =
+ betree_leaf_t u (f u0)
+
+ [betree_leaf_t_fupdcanon] Theorem
+
+ ⊢ ∀g f b.
+ b with
+ <|betree_leaf_size updated_by f; betree_leaf_id updated_by g|> =
+ b with
+ <|betree_leaf_id updated_by g; betree_leaf_size updated_by f|>
+
+ [betree_leaf_t_fupdcanon_comp] Theorem
+
+ ⊢ (∀g f.
+ betree_leaf_size_fupd f ∘ betree_leaf_id_fupd g =
+ betree_leaf_id_fupd g ∘ betree_leaf_size_fupd f) ∧
+ ∀h g f.
+ betree_leaf_size_fupd f ∘ betree_leaf_id_fupd g ∘ h =
+ betree_leaf_id_fupd g ∘ betree_leaf_size_fupd f ∘ h
+
+ [betree_leaf_t_fupdfupds] Theorem
+
+ ⊢ (∀g f b.
+ b with
+ <|betree_leaf_id updated_by f; betree_leaf_id updated_by g|> =
+ b with betree_leaf_id updated_by f ∘ g) ∧
+ ∀g f b.
+ b with
+ <|betree_leaf_size updated_by f; betree_leaf_size updated_by g|> =
+ b with betree_leaf_size updated_by f ∘ g
+
+ [betree_leaf_t_fupdfupds_comp] Theorem
+
+ ⊢ ((∀g f.
+ betree_leaf_id_fupd f ∘ betree_leaf_id_fupd g =
+ betree_leaf_id_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_leaf_id_fupd f ∘ betree_leaf_id_fupd g ∘ h =
+ betree_leaf_id_fupd (f ∘ g) ∘ h) ∧
+ (∀g f.
+ betree_leaf_size_fupd f ∘ betree_leaf_size_fupd g =
+ betree_leaf_size_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_leaf_size_fupd f ∘ betree_leaf_size_fupd g ∘ h =
+ betree_leaf_size_fupd (f ∘ g) ∘ h
+
+ [betree_leaf_t_induction] Theorem
+
+ ⊢ ∀P. (∀u u0. P (betree_leaf_t u u0)) ⇒ ∀b. P b
+
+ [betree_leaf_t_literal_11] Theorem
+
+ ⊢ ∀u01 u1 u02 u2.
+ <|betree_leaf_id := u01; betree_leaf_size := u1|> =
+ <|betree_leaf_id := u02; betree_leaf_size := u2|> ⇔
+ u01 = u02 ∧ u1 = u2
+
+ [betree_leaf_t_literal_nchotomy] Theorem
+
+ ⊢ ∀b. ∃u0 u. b = <|betree_leaf_id := u0; betree_leaf_size := u|>
+
+ [betree_leaf_t_nchotomy] Theorem
+
+ ⊢ ∀bb. ∃u u0. bb = betree_leaf_t u u0
+
+ [betree_leaf_t_updates_eq_literal] Theorem
+
+ ⊢ ∀b u0 u.
+ b with <|betree_leaf_id := u0; betree_leaf_size := u|> =
+ <|betree_leaf_id := u0; betree_leaf_size := u|>
+
+ [betree_list_t_11] Theorem
+
+ ⊢ ∀a0 a1 a0' a1'.
+ BetreeListCons a0 a1 = BetreeListCons a0' a1' ⇔
+ a0 = a0' ∧ a1 = a1'
+
+ [betree_list_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1. ∃fn.
+ (∀a0 a1. fn (BetreeListCons a0 a1) = f0 a0 a1 (fn a1)) ∧
+ fn BetreeListNil = f1
+
+ [betree_list_t_case_cong] Theorem
+
+ ⊢ ∀M M' f v.
+ M = M' ∧
+ (∀a0 a1. M' = BetreeListCons a0 a1 ⇒ f a0 a1 = f' a0 a1) ∧
+ (M' = BetreeListNil ⇒ v = v') ⇒
+ betree_list_t_CASE M f v = betree_list_t_CASE M' f' v'
+
+ [betree_list_t_case_eq] Theorem
+
+ ⊢ betree_list_t_CASE x f v = v' ⇔
+ (∃t b. x = BetreeListCons t b ∧ f t b = v') ∨
+ x = BetreeListNil ∧ v = v'
+
+ [betree_list_t_distinct] Theorem
+
+ ⊢ ∀a1 a0. BetreeListCons a0 a1 ≠ BetreeListNil
+
+ [betree_list_t_induction] Theorem
+
+ ⊢ ∀P. (∀b. P b ⇒ ∀t. P (BetreeListCons t b)) ∧ P BetreeListNil ⇒
+ ∀b. P b
+
+ [betree_list_t_nchotomy] Theorem
+
+ ⊢ ∀bb. (∃t b. bb = BetreeListCons t b) ∨ bb = BetreeListNil
+
+ [betree_message_t_11] Theorem
+
+ ⊢ (∀a a'. BetreeMessageInsert a = BetreeMessageInsert a' ⇔ a = a') ∧
+ ∀a a'. BetreeMessageUpsert a = BetreeMessageUpsert a' ⇔ a = a'
+
+ [betree_message_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1 f2. ∃fn.
+ (∀a. fn (BetreeMessageInsert a) = f0 a) ∧
+ fn BetreeMessageDelete = f1 ∧
+ ∀a. fn (BetreeMessageUpsert a) = f2 a
+
+ [betree_message_t_case_cong] Theorem
+
+ ⊢ ∀M M' f v f1.
+ M = M' ∧ (∀a. M' = BetreeMessageInsert a ⇒ f a = f' a) ∧
+ (M' = BetreeMessageDelete ⇒ v = v') ∧
+ (∀a. M' = BetreeMessageUpsert a ⇒ f1 a = f1' a) ⇒
+ betree_message_t_CASE M f v f1 =
+ betree_message_t_CASE M' f' v' f1'
+
+ [betree_message_t_case_eq] Theorem
+
+ ⊢ betree_message_t_CASE x f v f1 = v' ⇔
+ (∃u. x = BetreeMessageInsert u ∧ f u = v') ∨
+ x = BetreeMessageDelete ∧ v = v' ∨
+ ∃b. x = BetreeMessageUpsert b ∧ f1 b = v'
+
+ [betree_message_t_distinct] Theorem
+
+ ⊢ (∀a. BetreeMessageInsert a ≠ BetreeMessageDelete) ∧
+ (∀a' a. BetreeMessageInsert a ≠ BetreeMessageUpsert a') ∧
+ ∀a. BetreeMessageDelete ≠ BetreeMessageUpsert a
+
+ [betree_message_t_induction] Theorem
+
+ ⊢ ∀P. (∀u. P (BetreeMessageInsert u)) ∧ P BetreeMessageDelete ∧
+ (∀b. P (BetreeMessageUpsert b)) ⇒
+ ∀b. P b
+
+ [betree_message_t_nchotomy] Theorem
+
+ ⊢ ∀bb.
+ (∃u. bb = BetreeMessageInsert u) ∨ bb = BetreeMessageDelete ∨
+ ∃b. bb = BetreeMessageUpsert b
+
+ [betree_node_id_counter_t_11] Theorem
+
+ ⊢ ∀a a'.
+ betree_node_id_counter_t a = betree_node_id_counter_t a' ⇔ a = a'
+
+ [betree_node_id_counter_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a. fn (betree_node_id_counter_t a) = f a
+
+ [betree_node_id_counter_t_accessors] Theorem
+
+ ⊢ ∀u. (betree_node_id_counter_t u).
+ betree_node_id_counter_next_node_id =
+ u
+
+ [betree_node_id_counter_t_accfupds] Theorem
+
+ ⊢ ∀f b.
+ (b with betree_node_id_counter_next_node_id updated_by f).
+ betree_node_id_counter_next_node_id =
+ f b.betree_node_id_counter_next_node_id
+
+ [betree_node_id_counter_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧ (∀a. M' = betree_node_id_counter_t a ⇒ f a = f' a) ⇒
+ betree_node_id_counter_t_CASE M f =
+ betree_node_id_counter_t_CASE M' f'
+
+ [betree_node_id_counter_t_case_eq] Theorem
+
+ ⊢ betree_node_id_counter_t_CASE x f = v ⇔
+ ∃u. x = betree_node_id_counter_t u ∧ f u = v
+
+ [betree_node_id_counter_t_component_equality] Theorem
+
+ ⊢ ∀b1 b2.
+ b1 = b2 ⇔
+ b1.betree_node_id_counter_next_node_id =
+ b2.betree_node_id_counter_next_node_id
+
+ [betree_node_id_counter_t_fn_updates] Theorem
+
+ ⊢ ∀f u.
+ betree_node_id_counter_t u with
+ betree_node_id_counter_next_node_id updated_by f =
+ betree_node_id_counter_t (f u)
+
+ [betree_node_id_counter_t_fupdfupds] Theorem
+
+ ⊢ ∀g f b.
+ b with
+ <|betree_node_id_counter_next_node_id updated_by f;
+ betree_node_id_counter_next_node_id updated_by g|> =
+ b with betree_node_id_counter_next_node_id updated_by f ∘ g
+
+ [betree_node_id_counter_t_fupdfupds_comp] Theorem
+
+ ⊢ (∀g f.
+ betree_node_id_counter_next_node_id_fupd f ∘
+ betree_node_id_counter_next_node_id_fupd g =
+ betree_node_id_counter_next_node_id_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_node_id_counter_next_node_id_fupd f ∘
+ betree_node_id_counter_next_node_id_fupd g ∘ h =
+ betree_node_id_counter_next_node_id_fupd (f ∘ g) ∘ h
+
+ [betree_node_id_counter_t_induction] Theorem
+
+ ⊢ ∀P. (∀u. P (betree_node_id_counter_t u)) ⇒ ∀b. P b
+
+ [betree_node_id_counter_t_literal_11] Theorem
+
+ ⊢ ∀u1 u2.
+ <|betree_node_id_counter_next_node_id := u1|> =
+ <|betree_node_id_counter_next_node_id := u2|> ⇔ u1 = u2
+
+ [betree_node_id_counter_t_literal_nchotomy] Theorem
+
+ ⊢ ∀b. ∃u. b = <|betree_node_id_counter_next_node_id := u|>
+
+ [betree_node_id_counter_t_nchotomy] Theorem
+
+ ⊢ ∀bb. ∃u. bb = betree_node_id_counter_t u
+
+ [betree_node_id_counter_t_updates_eq_literal] Theorem
+
+ ⊢ ∀b u.
+ b with betree_node_id_counter_next_node_id := u =
+ <|betree_node_id_counter_next_node_id := u|>
+
+ [betree_node_t_11] Theorem
+
+ ⊢ (∀a a'. BetreeNodeInternal a = BetreeNodeInternal a' ⇔ a = a') ∧
+ ∀a a'. BetreeNodeLeaf a = BetreeNodeLeaf a' ⇔ a = a'
+
+ [betree_node_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1 f2. ∃fn0 fn1.
+ (∀a. fn0 (BetreeNodeInternal a) = f0 a (fn1 a)) ∧
+ (∀a. fn0 (BetreeNodeLeaf a) = f1 a) ∧
+ ∀a0 a1 a2 a3.
+ fn1 (betree_internal_t a0 a1 a2 a3) =
+ f2 a0 a1 a2 a3 (fn0 a2) (fn0 a3)
+
+ [betree_node_t_case_cong] Theorem
+
+ ⊢ ∀M M' f f1.
+ M = M' ∧ (∀a. M' = BetreeNodeInternal a ⇒ f a = f' a) ∧
+ (∀a. M' = BetreeNodeLeaf a ⇒ f1 a = f1' a) ⇒
+ betree_node_t_CASE M f f1 = betree_node_t_CASE M' f' f1'
+
+ [betree_node_t_case_eq] Theorem
+
+ ⊢ betree_node_t_CASE x f f1 = v ⇔
+ (∃b. x = BetreeNodeInternal b ∧ f b = v) ∨
+ ∃b. x = BetreeNodeLeaf b ∧ f1 b = v
+
+ [betree_node_t_distinct] Theorem
+
+ ⊢ ∀a' a. BetreeNodeInternal a ≠ BetreeNodeLeaf a'
+
+ [betree_node_t_induction] Theorem
+
+ ⊢ ∀P0 P1.
+ (∀b. P1 b ⇒ P0 (BetreeNodeInternal b)) ∧
+ (∀b. P0 (BetreeNodeLeaf b)) ∧
+ (∀b b0. P0 b ∧ P0 b0 ⇒ ∀u u0. P1 (betree_internal_t u0 u b b0)) ⇒
+ (∀b. P0 b) ∧ ∀b. P1 b
+
+ [betree_node_t_nchotomy] Theorem
+
+ ⊢ ∀bb. (∃b. bb = BetreeNodeInternal b) ∨ ∃b. bb = BetreeNodeLeaf b
+
+ [betree_params_t_11] Theorem
+
+ ⊢ ∀a0 a1 a0' a1'.
+ betree_params_t a0 a1 = betree_params_t a0' a1' ⇔
+ a0 = a0' ∧ a1 = a1'
+
+ [betree_params_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a0 a1. fn (betree_params_t a0 a1) = f a0 a1
+
+ [betree_params_t_accessors] Theorem
+
+ ⊢ (∀u u0. (betree_params_t u u0).betree_params_min_flush_size = u) ∧
+ ∀u u0. (betree_params_t u u0).betree_params_split_size = u0
+
+ [betree_params_t_accfupds] Theorem
+
+ ⊢ (∀f b.
+ (b with betree_params_split_size updated_by f).
+ betree_params_min_flush_size =
+ b.betree_params_min_flush_size) ∧
+ (∀f b.
+ (b with betree_params_min_flush_size updated_by f).
+ betree_params_split_size =
+ b.betree_params_split_size) ∧
+ (∀f b.
+ (b with betree_params_min_flush_size updated_by f).
+ betree_params_min_flush_size =
+ f b.betree_params_min_flush_size) ∧
+ ∀f b.
+ (b with betree_params_split_size updated_by f).
+ betree_params_split_size =
+ f b.betree_params_split_size
+
+ [betree_params_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧
+ (∀a0 a1. M' = betree_params_t a0 a1 ⇒ f a0 a1 = f' a0 a1) ⇒
+ betree_params_t_CASE M f = betree_params_t_CASE M' f'
+
+ [betree_params_t_case_eq] Theorem
+
+ ⊢ betree_params_t_CASE x f = v ⇔
+ ∃u u0. x = betree_params_t u u0 ∧ f u u0 = v
+
+ [betree_params_t_component_equality] Theorem
+
+ ⊢ ∀b1 b2.
+ b1 = b2 ⇔
+ b1.betree_params_min_flush_size = b2.betree_params_min_flush_size ∧
+ b1.betree_params_split_size = b2.betree_params_split_size
+
+ [betree_params_t_fn_updates] Theorem
+
+ ⊢ (∀f u u0.
+ betree_params_t u u0 with
+ betree_params_min_flush_size updated_by f =
+ betree_params_t (f u) u0) ∧
+ ∀f u u0.
+ betree_params_t u u0 with betree_params_split_size updated_by f =
+ betree_params_t u (f u0)
+
+ [betree_params_t_fupdcanon] Theorem
+
+ ⊢ ∀g f b.
+ b with
+ <|betree_params_split_size updated_by f;
+ betree_params_min_flush_size updated_by g|> =
+ b with
+ <|betree_params_min_flush_size updated_by g;
+ betree_params_split_size updated_by f|>
+
+ [betree_params_t_fupdcanon_comp] Theorem
+
+ ⊢ (∀g f.
+ betree_params_split_size_fupd f ∘
+ betree_params_min_flush_size_fupd g =
+ betree_params_min_flush_size_fupd g ∘
+ betree_params_split_size_fupd f) ∧
+ ∀h g f.
+ betree_params_split_size_fupd f ∘
+ betree_params_min_flush_size_fupd g ∘ h =
+ betree_params_min_flush_size_fupd g ∘
+ betree_params_split_size_fupd f ∘ h
+
+ [betree_params_t_fupdfupds] Theorem
+
+ ⊢ (∀g f b.
+ b with
+ <|betree_params_min_flush_size updated_by f;
+ betree_params_min_flush_size updated_by g|> =
+ b with betree_params_min_flush_size updated_by f ∘ g) ∧
+ ∀g f b.
+ b with
+ <|betree_params_split_size updated_by f;
+ betree_params_split_size updated_by g|> =
+ b with betree_params_split_size updated_by f ∘ g
+
+ [betree_params_t_fupdfupds_comp] Theorem
+
+ ⊢ ((∀g f.
+ betree_params_min_flush_size_fupd f ∘
+ betree_params_min_flush_size_fupd g =
+ betree_params_min_flush_size_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_params_min_flush_size_fupd f ∘
+ betree_params_min_flush_size_fupd g ∘ h =
+ betree_params_min_flush_size_fupd (f ∘ g) ∘ h) ∧
+ (∀g f.
+ betree_params_split_size_fupd f ∘
+ betree_params_split_size_fupd g =
+ betree_params_split_size_fupd (f ∘ g)) ∧
+ ∀h g f.
+ betree_params_split_size_fupd f ∘
+ betree_params_split_size_fupd g ∘ h =
+ betree_params_split_size_fupd (f ∘ g) ∘ h
+
+ [betree_params_t_induction] Theorem
+
+ ⊢ ∀P. (∀u u0. P (betree_params_t u u0)) ⇒ ∀b. P b
+
+ [betree_params_t_literal_11] Theorem
+
+ ⊢ ∀u01 u1 u02 u2.
+ <|betree_params_min_flush_size := u01;
+ betree_params_split_size := u1|> =
+ <|betree_params_min_flush_size := u02;
+ betree_params_split_size := u2|> ⇔ u01 = u02 ∧ u1 = u2
+
+ [betree_params_t_literal_nchotomy] Theorem
+
+ ⊢ ∀b. ∃u0 u.
+ b =
+ <|betree_params_min_flush_size := u0;
+ betree_params_split_size := u|>
+
+ [betree_params_t_nchotomy] Theorem
+
+ ⊢ ∀bb. ∃u u0. bb = betree_params_t u u0
+
+ [betree_params_t_updates_eq_literal] Theorem
+
+ ⊢ ∀b u0 u.
+ b with
+ <|betree_params_min_flush_size := u0;
+ betree_params_split_size := u|> =
+ <|betree_params_min_flush_size := u0;
+ betree_params_split_size := u|>
+
+ [betree_upsert_fun_state_t_11] Theorem
+
+ ⊢ (∀a a'.
+ BetreeUpsertFunStateAdd a = BetreeUpsertFunStateAdd a' ⇔ a = a') ∧
+ ∀a a'.
+ BetreeUpsertFunStateSub a = BetreeUpsertFunStateSub a' ⇔ a = a'
+
+ [betree_upsert_fun_state_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1. ∃fn.
+ (∀a. fn (BetreeUpsertFunStateAdd a) = f0 a) ∧
+ ∀a. fn (BetreeUpsertFunStateSub a) = f1 a
+
+ [betree_upsert_fun_state_t_case_cong] Theorem
+
+ ⊢ ∀M M' f f1.
+ M = M' ∧ (∀a. M' = BetreeUpsertFunStateAdd a ⇒ f a = f' a) ∧
+ (∀a. M' = BetreeUpsertFunStateSub a ⇒ f1 a = f1' a) ⇒
+ betree_upsert_fun_state_t_CASE M f f1 =
+ betree_upsert_fun_state_t_CASE M' f' f1'
+
+ [betree_upsert_fun_state_t_case_eq] Theorem
+
+ ⊢ betree_upsert_fun_state_t_CASE x f f1 = v ⇔
+ (∃u. x = BetreeUpsertFunStateAdd u ∧ f u = v) ∨
+ ∃u. x = BetreeUpsertFunStateSub u ∧ f1 u = v
+
+ [betree_upsert_fun_state_t_distinct] Theorem
+
+ ⊢ ∀a' a. BetreeUpsertFunStateAdd a ≠ BetreeUpsertFunStateSub a'
+
+ [betree_upsert_fun_state_t_induction] Theorem
+
+ ⊢ ∀P. (∀u. P (BetreeUpsertFunStateAdd u)) ∧
+ (∀u. P (BetreeUpsertFunStateSub u)) ⇒
+ ∀b. P b
+
+ [betree_upsert_fun_state_t_nchotomy] Theorem
+
+ ⊢ ∀bb.
+ (∃u. bb = BetreeUpsertFunStateAdd u) ∨
+ ∃u. bb = BetreeUpsertFunStateSub u
+
+ [datatype_betree_be_tree_t] Theorem
+
+ ⊢ DATATYPE
+ (record betree_be_tree_t betree_be_tree_params
+ betree_be_tree_node_id_cnt betree_be_tree_root)
+
+ [datatype_betree_leaf_t] Theorem
+
+ ⊢ DATATYPE (record betree_leaf_t betree_leaf_id betree_leaf_size)
+
+ [datatype_betree_list_t] Theorem
+
+ ⊢ DATATYPE (betree_list_t BetreeListCons BetreeListNil)
+
+ [datatype_betree_message_t] Theorem
+
+ ⊢ DATATYPE
+ (betree_message_t BetreeMessageInsert BetreeMessageDelete
+ BetreeMessageUpsert)
+
+ [datatype_betree_node_id_counter_t] Theorem
+
+ ⊢ DATATYPE
+ (record betree_node_id_counter_t
+ betree_node_id_counter_next_node_id)
+
+ [datatype_betree_node_t] Theorem
+
+ ⊢ DATATYPE
+ (betree_node_t BetreeNodeInternal BetreeNodeLeaf ∧
+ record betree_internal_t betree_internal_id
+ betree_internal_pivot betree_internal_left
+ betree_internal_right)
+
+ [datatype_betree_params_t] Theorem
+
+ ⊢ DATATYPE
+ (record betree_params_t betree_params_min_flush_size
+ betree_params_split_size)
+
+ [datatype_betree_upsert_fun_state_t] Theorem
+
+ ⊢ DATATYPE
+ (betree_upsert_fun_state_t BetreeUpsertFunStateAdd
+ BetreeUpsertFunStateSub)
+
+
+*)
+end
diff --git a/tests/hol4/hashmap/Holmakefile b/tests/hol4/hashmap/Holmakefile
new file mode 100644
index 00000000..3c4b8973
--- /dev/null
+++ b/tests/hol4/hashmap/Holmakefile
@@ -0,0 +1,5 @@
+# This file was automatically generated - modify ../Holmakefile.template instead
+INCLUDES = ../../../backends/hol4
+
+all: $(DEFAULT_TARGETS)
+.PHONY: all
diff --git a/tests/hol4/hashmap/hashmap_FunsScript.sml b/tests/hol4/hashmap/hashmap_FunsScript.sml
new file mode 100644
index 00000000..9ad497f5
--- /dev/null
+++ b/tests/hol4/hashmap/hashmap_FunsScript.sml
@@ -0,0 +1,567 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [hashmap]: function definitions *)
+open primitivesLib divDefLib
+open hashmap_TypesTheory
+
+val _ = new_theory "hashmap_Funs"
+
+
+val hash_key_fwd_def = Define ‘
+ (** [hashmap::hash_key] *)
+ hash_key_fwd (k : usize) : usize result =
+ Return k
+’
+
+val [hash_map_allocate_slots_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::allocate_slots] *)
+ hash_map_allocate_slots_loop_fwd
+ (slots : 't list_t vec) (n : usize) : 't list_t vec result =
+ if usize_gt n (int_to_usize 0)
+ then (
+ do
+ slots0 <- vec_push_back slots ListNil;
+ n0 <- usize_sub n (int_to_usize 1);
+ hash_map_allocate_slots_loop_fwd slots0 n0
+ od)
+ else Return slots
+’
+
+val hash_map_allocate_slots_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::allocate_slots] *)
+ hash_map_allocate_slots_fwd
+ (slots : 't list_t vec) (n : usize) : 't list_t vec result =
+ hash_map_allocate_slots_loop_fwd slots n
+’
+
+val hash_map_new_with_capacity_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::new_with_capacity] *)
+ hash_map_new_with_capacity_fwd
+ (capacity : usize) (max_load_dividend : usize) (max_load_divisor : usize) :
+ 't hash_map_t result
+ =
+ let v = vec_new in
+ do
+ slots <- hash_map_allocate_slots_fwd v capacity;
+ i <- usize_mul capacity max_load_dividend;
+ i0 <- usize_div i max_load_divisor;
+ Return
+ (<|
+ hash_map_num_entries := (int_to_usize 0);
+ hash_map_max_load_factor := (max_load_dividend, max_load_divisor);
+ hash_map_max_load := i0;
+ hash_map_slots := slots
+ |>)
+ od
+’
+
+val hash_map_new_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::new] *)
+ hash_map_new_fwd : 't hash_map_t result =
+ hash_map_new_with_capacity_fwd (int_to_usize 32) (int_to_usize 4)
+ (int_to_usize 5)
+’
+
+val [hash_map_clear_loop_fwd_back_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::clear] *)
+ hash_map_clear_loop_fwd_back
+ (slots : 't list_t vec) (i : usize) : 't list_t vec result =
+ let i0 = vec_len slots in
+ if usize_lt i i0
+ then (
+ do
+ i1 <- usize_add i (int_to_usize 1);
+ slots0 <- vec_index_mut_back slots i ListNil;
+ hash_map_clear_loop_fwd_back slots0 i1
+ od)
+ else Return slots
+’
+
+val hash_map_clear_fwd_back_def = Define ‘
+ (** [hashmap::HashMap::{0}::clear] *)
+ hash_map_clear_fwd_back (self : 't hash_map_t) : 't hash_map_t result =
+ do
+ v <- hash_map_clear_loop_fwd_back self.hash_map_slots (int_to_usize 0);
+ Return
+ (self
+ with
+ <|
+ hash_map_num_entries := (int_to_usize 0); hash_map_slots := v
+ |>)
+ od
+’
+
+val hash_map_len_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::len] *)
+ hash_map_len_fwd (self : 't hash_map_t) : usize result =
+ Return self.hash_map_num_entries
+’
+
+val [hash_map_insert_in_list_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::insert_in_list] *)
+ hash_map_insert_in_list_loop_fwd
+ (key : usize) (value : 't) (ls : 't list_t) : bool result =
+ (case ls of
+ | ListCons ckey cvalue tl =>
+ if ckey = key
+ then Return F
+ else hash_map_insert_in_list_loop_fwd key value tl
+ | ListNil => Return T)
+’
+
+val hash_map_insert_in_list_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::insert_in_list] *)
+ hash_map_insert_in_list_fwd
+ (key : usize) (value : 't) (ls : 't list_t) : bool result =
+ hash_map_insert_in_list_loop_fwd key value ls
+’
+
+val [hash_map_insert_in_list_loop_back_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::insert_in_list] *)
+ hash_map_insert_in_list_loop_back
+ (key : usize) (value : 't) (ls : 't list_t) : 't list_t result =
+ (case ls of
+ | ListCons ckey cvalue tl =>
+ if ckey = key
+ then Return (ListCons ckey value tl)
+ else (
+ do
+ tl0 <- hash_map_insert_in_list_loop_back key value tl;
+ Return (ListCons ckey cvalue tl0)
+ od)
+ | ListNil => let l = ListNil in Return (ListCons key value l))
+’
+
+val hash_map_insert_in_list_back_def = Define ‘
+ (** [hashmap::HashMap::{0}::insert_in_list] *)
+ hash_map_insert_in_list_back
+ (key : usize) (value : 't) (ls : 't list_t) : 't list_t result =
+ hash_map_insert_in_list_loop_back key value ls
+’
+
+val hash_map_insert_no_resize_fwd_back_def = Define ‘
+ (** [hashmap::HashMap::{0}::insert_no_resize] *)
+ hash_map_insert_no_resize_fwd_back
+ (self : 't hash_map_t) (key : usize) (value : 't) : 't hash_map_t result =
+ do
+ hash <- hash_key_fwd key;
+ let i = vec_len self.hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hash_map_slots hash_mod;
+ inserted <- hash_map_insert_in_list_fwd key value l;
+ if inserted
+ then (
+ do
+ i0 <- usize_add self.hash_map_num_entries (int_to_usize 1);
+ l0 <- hash_map_insert_in_list_back key value l;
+ v <- vec_index_mut_back self.hash_map_slots hash_mod l0;
+ Return (self with <| hash_map_num_entries := i0; hash_map_slots := v |>)
+ od)
+ else (
+ do
+ l0 <- hash_map_insert_in_list_back key value l;
+ v <- vec_index_mut_back self.hash_map_slots hash_mod l0;
+ Return (self with <| hash_map_slots := v |>)
+ od)
+ od
+ od
+’
+
+(** [core::num::u32::{9}::MAX] *)
+Definition core_num_u32_max_body_def:
+ core_num_u32_max_body : u32 result = Return (int_to_u32 4294967295)
+End
+Definition core_num_u32_max_c_def:
+ core_num_u32_max_c : u32 = get_return_value core_num_u32_max_body
+End
+
+val [hash_map_move_elements_from_list_loop_fwd_back_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::move_elements_from_list] *)
+ hash_map_move_elements_from_list_loop_fwd_back
+ (ntable : 't hash_map_t) (ls : 't list_t) : 't hash_map_t result =
+ (case ls of
+ | ListCons k v tl =>
+ do
+ ntable0 <- hash_map_insert_no_resize_fwd_back ntable k v;
+ hash_map_move_elements_from_list_loop_fwd_back ntable0 tl
+ od
+ | ListNil => Return ntable)
+’
+
+val hash_map_move_elements_from_list_fwd_back_def = Define ‘
+ (** [hashmap::HashMap::{0}::move_elements_from_list] *)
+ hash_map_move_elements_from_list_fwd_back
+ (ntable : 't hash_map_t) (ls : 't list_t) : 't hash_map_t result =
+ hash_map_move_elements_from_list_loop_fwd_back ntable ls
+’
+
+val [hash_map_move_elements_loop_fwd_back_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::move_elements] *)
+ hash_map_move_elements_loop_fwd_back
+ (ntable : 't hash_map_t) (slots : 't list_t vec) (i : usize) :
+ ('t hash_map_t # 't list_t vec) result
+ =
+ let i0 = vec_len slots in
+ if usize_lt i i0
+ then (
+ do
+ l <- vec_index_mut_fwd slots i;
+ let ls = mem_replace_fwd l ListNil in
+ do
+ ntable0 <- hash_map_move_elements_from_list_fwd_back ntable ls;
+ i1 <- usize_add i (int_to_usize 1);
+ let l0 = mem_replace_back l ListNil in
+ do
+ slots0 <- vec_index_mut_back slots i l0;
+ hash_map_move_elements_loop_fwd_back ntable0 slots0 i1
+ od
+ od
+ od)
+ else Return (ntable, slots)
+’
+
+val hash_map_move_elements_fwd_back_def = Define ‘
+ (** [hashmap::HashMap::{0}::move_elements] *)
+ hash_map_move_elements_fwd_back
+ (ntable : 't hash_map_t) (slots : 't list_t vec) (i : usize) :
+ ('t hash_map_t # 't list_t vec) result
+ =
+ hash_map_move_elements_loop_fwd_back ntable slots i
+’
+
+val hash_map_try_resize_fwd_back_def = Define ‘
+ (** [hashmap::HashMap::{0}::try_resize] *)
+ hash_map_try_resize_fwd_back (self : 't hash_map_t) : 't hash_map_t result =
+ do
+ max_usize <- mk_usize (u32_to_int core_num_u32_max_c);
+ let capacity = vec_len self.hash_map_slots in
+ do
+ n1 <- usize_div max_usize (int_to_usize 2);
+ let (i, i0) = self.hash_map_max_load_factor in
+ do
+ i1 <- usize_div n1 i;
+ if usize_le capacity i1
+ then (
+ do
+ i2 <- usize_mul capacity (int_to_usize 2);
+ ntable <- hash_map_new_with_capacity_fwd i2 i i0;
+ (ntable0, _) <-
+ hash_map_move_elements_fwd_back ntable self.hash_map_slots
+ (int_to_usize 0);
+ Return
+ (ntable0
+ with
+ <|
+ hash_map_num_entries := self.hash_map_num_entries;
+ hash_map_max_load_factor := (i, i0)
+ |>)
+ od)
+ else Return (self with <| hash_map_max_load_factor := (i, i0) |>)
+ od
+ od
+ od
+’
+
+val hash_map_insert_fwd_back_def = Define ‘
+ (** [hashmap::HashMap::{0}::insert] *)
+ hash_map_insert_fwd_back
+ (self : 't hash_map_t) (key : usize) (value : 't) : 't hash_map_t result =
+ do
+ self0 <- hash_map_insert_no_resize_fwd_back self key value;
+ i <- hash_map_len_fwd self0;
+ if usize_gt i self0.hash_map_max_load
+ then hash_map_try_resize_fwd_back self0
+ else Return self0
+ od
+’
+
+val [hash_map_contains_key_in_list_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::contains_key_in_list] *)
+ hash_map_contains_key_in_list_loop_fwd
+ (key : usize) (ls : 't list_t) : bool result =
+ (case ls of
+ | ListCons ckey t tl =>
+ if ckey = key
+ then Return T
+ else hash_map_contains_key_in_list_loop_fwd key tl
+ | ListNil => Return F)
+’
+
+val hash_map_contains_key_in_list_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::contains_key_in_list] *)
+ hash_map_contains_key_in_list_fwd
+ (key : usize) (ls : 't list_t) : bool result =
+ hash_map_contains_key_in_list_loop_fwd key ls
+’
+
+val hash_map_contains_key_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::contains_key] *)
+ hash_map_contains_key_fwd
+ (self : 't hash_map_t) (key : usize) : bool result =
+ do
+ hash <- hash_key_fwd key;
+ let i = vec_len self.hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_fwd self.hash_map_slots hash_mod;
+ hash_map_contains_key_in_list_fwd key l
+ od
+ od
+’
+
+val [hash_map_get_in_list_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::get_in_list] *)
+ hash_map_get_in_list_loop_fwd (key : usize) (ls : 't list_t) : 't result =
+ (case ls of
+ | ListCons ckey cvalue tl =>
+ if ckey = key
+ then Return cvalue
+ else hash_map_get_in_list_loop_fwd key tl
+ | ListNil => Fail Failure)
+’
+
+val hash_map_get_in_list_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::get_in_list] *)
+ hash_map_get_in_list_fwd (key : usize) (ls : 't list_t) : 't result =
+ hash_map_get_in_list_loop_fwd key ls
+’
+
+val hash_map_get_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::get] *)
+ hash_map_get_fwd (self : 't hash_map_t) (key : usize) : 't result =
+ do
+ hash <- hash_key_fwd key;
+ let i = vec_len self.hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_fwd self.hash_map_slots hash_mod;
+ hash_map_get_in_list_fwd key l
+ od
+ od
+’
+
+val [hash_map_get_mut_in_list_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::get_mut_in_list] *)
+ hash_map_get_mut_in_list_loop_fwd
+ (ls : 't list_t) (key : usize) : 't result =
+ (case ls of
+ | ListCons ckey cvalue tl =>
+ if ckey = key
+ then Return cvalue
+ else hash_map_get_mut_in_list_loop_fwd tl key
+ | ListNil => Fail Failure)
+’
+
+val hash_map_get_mut_in_list_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::get_mut_in_list] *)
+ hash_map_get_mut_in_list_fwd (ls : 't list_t) (key : usize) : 't result =
+ hash_map_get_mut_in_list_loop_fwd ls key
+’
+
+val [hash_map_get_mut_in_list_loop_back_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::get_mut_in_list] *)
+ hash_map_get_mut_in_list_loop_back
+ (ls : 't list_t) (key : usize) (ret : 't) : 't list_t result =
+ (case ls of
+ | ListCons ckey cvalue tl =>
+ if ckey = key
+ then Return (ListCons ckey ret tl)
+ else (
+ do
+ tl0 <- hash_map_get_mut_in_list_loop_back tl key ret;
+ Return (ListCons ckey cvalue tl0)
+ od)
+ | ListNil => Fail Failure)
+’
+
+val hash_map_get_mut_in_list_back_def = Define ‘
+ (** [hashmap::HashMap::{0}::get_mut_in_list] *)
+ hash_map_get_mut_in_list_back
+ (ls : 't list_t) (key : usize) (ret : 't) : 't list_t result =
+ hash_map_get_mut_in_list_loop_back ls key ret
+’
+
+val hash_map_get_mut_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::get_mut] *)
+ hash_map_get_mut_fwd (self : 't hash_map_t) (key : usize) : 't result =
+ do
+ hash <- hash_key_fwd key;
+ let i = vec_len self.hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hash_map_slots hash_mod;
+ hash_map_get_mut_in_list_fwd l key
+ od
+ od
+’
+
+val hash_map_get_mut_back_def = Define ‘
+ (** [hashmap::HashMap::{0}::get_mut] *)
+ hash_map_get_mut_back
+ (self : 't hash_map_t) (key : usize) (ret : 't) : 't hash_map_t result =
+ do
+ hash <- hash_key_fwd key;
+ let i = vec_len self.hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hash_map_slots hash_mod;
+ l0 <- hash_map_get_mut_in_list_back l key ret;
+ v <- vec_index_mut_back self.hash_map_slots hash_mod l0;
+ Return (self with <| hash_map_slots := v |>)
+ od
+ od
+’
+
+val [hash_map_remove_from_list_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::remove_from_list] *)
+ hash_map_remove_from_list_loop_fwd
+ (key : usize) (ls : 't list_t) : 't option result =
+ (case ls of
+ | ListCons ckey t tl =>
+ if ckey = key
+ then
+ let mv_ls = mem_replace_fwd (ListCons ckey t tl) ListNil in
+ (case mv_ls of
+ | ListCons i cvalue tl0 => Return (SOME cvalue)
+ | ListNil => Fail Failure)
+ else hash_map_remove_from_list_loop_fwd key tl
+ | ListNil => Return NONE)
+’
+
+val hash_map_remove_from_list_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::remove_from_list] *)
+ hash_map_remove_from_list_fwd
+ (key : usize) (ls : 't list_t) : 't option result =
+ hash_map_remove_from_list_loop_fwd key ls
+’
+
+val [hash_map_remove_from_list_loop_back_def] = DefineDiv ‘
+ (** [hashmap::HashMap::{0}::remove_from_list] *)
+ hash_map_remove_from_list_loop_back
+ (key : usize) (ls : 't list_t) : 't list_t result =
+ (case ls of
+ | ListCons ckey t tl =>
+ if ckey = key
+ then
+ let mv_ls = mem_replace_fwd (ListCons ckey t tl) ListNil in
+ (case mv_ls of
+ | ListCons i cvalue tl0 => Return tl0
+ | ListNil => Fail Failure)
+ else (
+ do
+ tl0 <- hash_map_remove_from_list_loop_back key tl;
+ Return (ListCons ckey t tl0)
+ od)
+ | ListNil => Return ListNil)
+’
+
+val hash_map_remove_from_list_back_def = Define ‘
+ (** [hashmap::HashMap::{0}::remove_from_list] *)
+ hash_map_remove_from_list_back
+ (key : usize) (ls : 't list_t) : 't list_t result =
+ hash_map_remove_from_list_loop_back key ls
+’
+
+val hash_map_remove_fwd_def = Define ‘
+ (** [hashmap::HashMap::{0}::remove] *)
+ hash_map_remove_fwd (self : 't hash_map_t) (key : usize) : 't option result =
+ do
+ hash <- hash_key_fwd key;
+ let i = vec_len self.hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hash_map_slots hash_mod;
+ x <- hash_map_remove_from_list_fwd key l;
+ (case x of
+ | NONE => Return NONE
+ | SOME x0 =>
+ do
+ _ <- usize_sub self.hash_map_num_entries (int_to_usize 1);
+ Return (SOME x0)
+ od)
+ od
+ od
+’
+
+val hash_map_remove_back_def = Define ‘
+ (** [hashmap::HashMap::{0}::remove] *)
+ hash_map_remove_back
+ (self : 't hash_map_t) (key : usize) : 't hash_map_t result =
+ do
+ hash <- hash_key_fwd key;
+ let i = vec_len self.hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hash_map_slots hash_mod;
+ x <- hash_map_remove_from_list_fwd key l;
+ (case x of
+ | NONE =>
+ do
+ l0 <- hash_map_remove_from_list_back key l;
+ v <- vec_index_mut_back self.hash_map_slots hash_mod l0;
+ Return (self with <| hash_map_slots := v |>)
+ od
+ | SOME x0 =>
+ do
+ i0 <- usize_sub self.hash_map_num_entries (int_to_usize 1);
+ l0 <- hash_map_remove_from_list_back key l;
+ v <- vec_index_mut_back self.hash_map_slots hash_mod l0;
+ Return (self with <| hash_map_num_entries := i0; hash_map_slots := v |>)
+ od)
+ od
+ od
+’
+
+val test1_fwd_def = Define ‘
+ (** [hashmap::test1] *)
+ test1_fwd : unit result =
+ do
+ hm <- hash_map_new_fwd;
+ hm0 <- hash_map_insert_fwd_back hm (int_to_usize 0) (int_to_u64 42);
+ hm1 <- hash_map_insert_fwd_back hm0 (int_to_usize 128) (int_to_u64 18);
+ hm2 <- hash_map_insert_fwd_back hm1 (int_to_usize 1024) (int_to_u64 138);
+ hm3 <- hash_map_insert_fwd_back hm2 (int_to_usize 1056) (int_to_u64 256);
+ i <- hash_map_get_fwd hm3 (int_to_usize 128);
+ if ~ (i = int_to_u64 18)
+ then Fail Failure
+ else (
+ do
+ hm4 <- hash_map_get_mut_back hm3 (int_to_usize 1024) (int_to_u64 56);
+ i0 <- hash_map_get_fwd hm4 (int_to_usize 1024);
+ if ~ (i0 = int_to_u64 56)
+ then Fail Failure
+ else (
+ do
+ x <- hash_map_remove_fwd hm4 (int_to_usize 1024);
+ (case x of
+ | NONE => Fail Failure
+ | SOME x0 =>
+ if ~ (x0 = int_to_u64 56)
+ then Fail Failure
+ else (
+ do
+ hm5 <- hash_map_remove_back hm4 (int_to_usize 1024);
+ i1 <- hash_map_get_fwd hm5 (int_to_usize 0);
+ if ~ (i1 = int_to_u64 42)
+ then Fail Failure
+ else (
+ do
+ i2 <- hash_map_get_fwd hm5 (int_to_usize 128);
+ if ~ (i2 = int_to_u64 18)
+ then Fail Failure
+ else (
+ do
+ i3 <- hash_map_get_fwd hm5 (int_to_usize 1056);
+ if ~ (i3 = int_to_u64 256) then Fail Failure else Return ()
+ od)
+ od)
+ od))
+ od)
+ od)
+ od
+’
+
+(** Unit test for [hashmap::test1] *)
+val _ = assert_return (“test1_fwd”)
+
+val _ = export_theory ()
diff --git a/tests/hol4/hashmap/hashmap_FunsTheory.sig b/tests/hol4/hashmap/hashmap_FunsTheory.sig
new file mode 100644
index 00000000..50482547
--- /dev/null
+++ b/tests/hol4/hashmap/hashmap_FunsTheory.sig
@@ -0,0 +1,550 @@
+signature hashmap_FunsTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val core_num_u32_max_body_def : thm
+ val core_num_u32_max_c_def : thm
+ val hash_key_fwd_def : thm
+ val hash_map_allocate_slots_fwd_def : thm
+ val hash_map_allocate_slots_loop_fwd_def : thm
+ val hash_map_clear_fwd_back_def : thm
+ val hash_map_clear_loop_fwd_back_def : thm
+ val hash_map_contains_key_fwd_def : thm
+ val hash_map_contains_key_in_list_fwd_def : thm
+ val hash_map_contains_key_in_list_loop_fwd_def : thm
+ val hash_map_get_fwd_def : thm
+ val hash_map_get_in_list_fwd_def : thm
+ val hash_map_get_in_list_loop_fwd_def : thm
+ val hash_map_get_mut_back_def : thm
+ val hash_map_get_mut_fwd_def : thm
+ val hash_map_get_mut_in_list_back_def : thm
+ val hash_map_get_mut_in_list_fwd_def : thm
+ val hash_map_get_mut_in_list_loop_back_def : thm
+ val hash_map_get_mut_in_list_loop_fwd_def : thm
+ val hash_map_insert_fwd_back_def : thm
+ val hash_map_insert_in_list_back_def : thm
+ val hash_map_insert_in_list_fwd_def : thm
+ val hash_map_insert_in_list_loop_back_def : thm
+ val hash_map_insert_in_list_loop_fwd_def : thm
+ val hash_map_insert_no_resize_fwd_back_def : thm
+ val hash_map_len_fwd_def : thm
+ val hash_map_move_elements_from_list_fwd_back_def : thm
+ val hash_map_move_elements_from_list_loop_fwd_back_def : thm
+ val hash_map_move_elements_fwd_back_def : thm
+ val hash_map_move_elements_loop_fwd_back_def : thm
+ val hash_map_new_fwd_def : thm
+ val hash_map_new_with_capacity_fwd_def : thm
+ val hash_map_remove_back_def : thm
+ val hash_map_remove_from_list_back_def : thm
+ val hash_map_remove_from_list_fwd_def : thm
+ val hash_map_remove_from_list_loop_back_def : thm
+ val hash_map_remove_from_list_loop_fwd_def : thm
+ val hash_map_remove_fwd_def : thm
+ val hash_map_try_resize_fwd_back_def : thm
+ val test1_fwd_def : thm
+
+ val hashmap_Funs_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [hashmap_Types] Parent theory of "hashmap_Funs"
+
+ [core_num_u32_max_body_def] Definition
+
+ ⊢ core_num_u32_max_body = Return (int_to_u32 4294967295)
+
+ [core_num_u32_max_c_def] Definition
+
+ ⊢ core_num_u32_max_c = get_return_value core_num_u32_max_body
+
+ [hash_key_fwd_def] Definition
+
+ ⊢ ∀k. hash_key_fwd k = Return k
+
+ [hash_map_allocate_slots_fwd_def] Definition
+
+ ⊢ ∀slots n.
+ hash_map_allocate_slots_fwd slots n =
+ hash_map_allocate_slots_loop_fwd slots n
+
+ [hash_map_allocate_slots_loop_fwd_def] Definition
+
+ ⊢ ∀slots n.
+ hash_map_allocate_slots_loop_fwd slots n =
+ if usize_gt n (int_to_usize 0) then
+ do
+ slots0 <- vec_push_back slots ListNil;
+ n0 <- usize_sub n (int_to_usize 1);
+ hash_map_allocate_slots_loop_fwd slots0 n0
+ od
+ else Return slots
+
+ [hash_map_clear_fwd_back_def] Definition
+
+ ⊢ ∀self.
+ hash_map_clear_fwd_back self =
+ do
+ v <-
+ hash_map_clear_loop_fwd_back self.hash_map_slots
+ (int_to_usize 0);
+ Return
+ (self with
+ <|hash_map_num_entries := int_to_usize 0;
+ hash_map_slots := v|>)
+ od
+
+ [hash_map_clear_loop_fwd_back_def] Definition
+
+ ⊢ ∀slots i.
+ hash_map_clear_loop_fwd_back slots i =
+ (let
+ i0 = vec_len slots
+ in
+ if usize_lt i i0 then
+ do
+ i1 <- usize_add i (int_to_usize 1);
+ slots0 <- vec_index_mut_back slots i ListNil;
+ hash_map_clear_loop_fwd_back slots0 i1
+ od
+ else Return slots)
+
+ [hash_map_contains_key_fwd_def] Definition
+
+ ⊢ ∀self key.
+ hash_map_contains_key_fwd self key =
+ do
+ hash <- hash_key_fwd key;
+ i <<- vec_len self.hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_fwd self.hash_map_slots hash_mod;
+ hash_map_contains_key_in_list_fwd key l
+ od
+
+ [hash_map_contains_key_in_list_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hash_map_contains_key_in_list_fwd key ls =
+ hash_map_contains_key_in_list_loop_fwd key ls
+
+ [hash_map_contains_key_in_list_loop_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hash_map_contains_key_in_list_loop_fwd key ls =
+ case ls of
+ ListCons ckey t tl =>
+ if ckey = key then Return T
+ else hash_map_contains_key_in_list_loop_fwd key tl
+ | ListNil => Return F
+
+ [hash_map_get_fwd_def] Definition
+
+ ⊢ ∀self key.
+ hash_map_get_fwd self key =
+ do
+ hash <- hash_key_fwd key;
+ i <<- vec_len self.hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_fwd self.hash_map_slots hash_mod;
+ hash_map_get_in_list_fwd key l
+ od
+
+ [hash_map_get_in_list_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hash_map_get_in_list_fwd key ls =
+ hash_map_get_in_list_loop_fwd key ls
+
+ [hash_map_get_in_list_loop_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hash_map_get_in_list_loop_fwd key ls =
+ case ls of
+ ListCons ckey cvalue tl =>
+ if ckey = key then Return cvalue
+ else hash_map_get_in_list_loop_fwd key tl
+ | ListNil => Fail Failure
+
+ [hash_map_get_mut_back_def] Definition
+
+ ⊢ ∀self key ret.
+ hash_map_get_mut_back self key ret =
+ do
+ hash <- hash_key_fwd key;
+ i <<- vec_len self.hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hash_map_slots hash_mod;
+ l0 <- hash_map_get_mut_in_list_back l key ret;
+ v <- vec_index_mut_back self.hash_map_slots hash_mod l0;
+ Return (self with hash_map_slots := v)
+ od
+
+ [hash_map_get_mut_fwd_def] Definition
+
+ ⊢ ∀self key.
+ hash_map_get_mut_fwd self key =
+ do
+ hash <- hash_key_fwd key;
+ i <<- vec_len self.hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hash_map_slots hash_mod;
+ hash_map_get_mut_in_list_fwd l key
+ od
+
+ [hash_map_get_mut_in_list_back_def] Definition
+
+ ⊢ ∀ls key ret.
+ hash_map_get_mut_in_list_back ls key ret =
+ hash_map_get_mut_in_list_loop_back ls key ret
+
+ [hash_map_get_mut_in_list_fwd_def] Definition
+
+ ⊢ ∀ls key.
+ hash_map_get_mut_in_list_fwd ls key =
+ hash_map_get_mut_in_list_loop_fwd ls key
+
+ [hash_map_get_mut_in_list_loop_back_def] Definition
+
+ ⊢ ∀ls key ret.
+ hash_map_get_mut_in_list_loop_back ls key ret =
+ case ls of
+ ListCons ckey cvalue tl =>
+ if ckey = key then Return (ListCons ckey ret tl)
+ else
+ do
+ tl0 <- hash_map_get_mut_in_list_loop_back tl key ret;
+ Return (ListCons ckey cvalue tl0)
+ od
+ | ListNil => Fail Failure
+
+ [hash_map_get_mut_in_list_loop_fwd_def] Definition
+
+ ⊢ ∀ls key.
+ hash_map_get_mut_in_list_loop_fwd ls key =
+ case ls of
+ ListCons ckey cvalue tl =>
+ if ckey = key then Return cvalue
+ else hash_map_get_mut_in_list_loop_fwd tl key
+ | ListNil => Fail Failure
+
+ [hash_map_insert_fwd_back_def] Definition
+
+ ⊢ ∀self key value.
+ hash_map_insert_fwd_back self key value =
+ do
+ self0 <- hash_map_insert_no_resize_fwd_back self key value;
+ i <- hash_map_len_fwd self0;
+ if usize_gt i self0.hash_map_max_load then
+ hash_map_try_resize_fwd_back self0
+ else Return self0
+ od
+
+ [hash_map_insert_in_list_back_def] Definition
+
+ ⊢ ∀key value ls.
+ hash_map_insert_in_list_back key value ls =
+ hash_map_insert_in_list_loop_back key value ls
+
+ [hash_map_insert_in_list_fwd_def] Definition
+
+ ⊢ ∀key value ls.
+ hash_map_insert_in_list_fwd key value ls =
+ hash_map_insert_in_list_loop_fwd key value ls
+
+ [hash_map_insert_in_list_loop_back_def] Definition
+
+ ⊢ ∀key value ls.
+ hash_map_insert_in_list_loop_back key value ls =
+ case ls of
+ ListCons ckey cvalue tl =>
+ if ckey = key then Return (ListCons ckey value tl)
+ else
+ do
+ tl0 <- hash_map_insert_in_list_loop_back key value tl;
+ Return (ListCons ckey cvalue tl0)
+ od
+ | ListNil => (let l = ListNil in Return (ListCons key value l))
+
+ [hash_map_insert_in_list_loop_fwd_def] Definition
+
+ ⊢ ∀key value ls.
+ hash_map_insert_in_list_loop_fwd key value ls =
+ case ls of
+ ListCons ckey cvalue tl =>
+ if ckey = key then Return F
+ else hash_map_insert_in_list_loop_fwd key value tl
+ | ListNil => Return T
+
+ [hash_map_insert_no_resize_fwd_back_def] Definition
+
+ ⊢ ∀self key value.
+ hash_map_insert_no_resize_fwd_back self key value =
+ do
+ hash <- hash_key_fwd key;
+ i <<- vec_len self.hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hash_map_slots hash_mod;
+ inserted <- hash_map_insert_in_list_fwd key value l;
+ if inserted then
+ do
+ i0 <- usize_add self.hash_map_num_entries (int_to_usize 1);
+ l0 <- hash_map_insert_in_list_back key value l;
+ v <- vec_index_mut_back self.hash_map_slots hash_mod l0;
+ Return
+ (self with
+ <|hash_map_num_entries := i0; hash_map_slots := v|>)
+ od
+ else
+ do
+ l0 <- hash_map_insert_in_list_back key value l;
+ v <- vec_index_mut_back self.hash_map_slots hash_mod l0;
+ Return (self with hash_map_slots := v)
+ od
+ od
+
+ [hash_map_len_fwd_def] Definition
+
+ ⊢ ∀self. hash_map_len_fwd self = Return self.hash_map_num_entries
+
+ [hash_map_move_elements_from_list_fwd_back_def] Definition
+
+ ⊢ ∀ntable ls.
+ hash_map_move_elements_from_list_fwd_back ntable ls =
+ hash_map_move_elements_from_list_loop_fwd_back ntable ls
+
+ [hash_map_move_elements_from_list_loop_fwd_back_def] Definition
+
+ ⊢ ∀ntable ls.
+ hash_map_move_elements_from_list_loop_fwd_back ntable ls =
+ case ls of
+ ListCons k v tl =>
+ do
+ ntable0 <- hash_map_insert_no_resize_fwd_back ntable k v;
+ hash_map_move_elements_from_list_loop_fwd_back ntable0 tl
+ od
+ | ListNil => Return ntable
+
+ [hash_map_move_elements_fwd_back_def] Definition
+
+ ⊢ ∀ntable slots i.
+ hash_map_move_elements_fwd_back ntable slots i =
+ hash_map_move_elements_loop_fwd_back ntable slots i
+
+ [hash_map_move_elements_loop_fwd_back_def] Definition
+
+ ⊢ ∀ntable slots i.
+ hash_map_move_elements_loop_fwd_back ntable slots i =
+ (let
+ i0 = vec_len slots
+ in
+ if usize_lt i i0 then
+ do
+ l <- vec_index_mut_fwd slots i;
+ ls <<- mem_replace_fwd l ListNil;
+ ntable0 <-
+ hash_map_move_elements_from_list_fwd_back ntable ls;
+ i1 <- usize_add i (int_to_usize 1);
+ l0 <<- mem_replace_back l ListNil;
+ slots0 <- vec_index_mut_back slots i l0;
+ hash_map_move_elements_loop_fwd_back ntable0 slots0 i1
+ od
+ else Return (ntable,slots))
+
+ [hash_map_new_fwd_def] Definition
+
+ ⊢ hash_map_new_fwd =
+ hash_map_new_with_capacity_fwd (int_to_usize 32) (int_to_usize 4)
+ (int_to_usize 5)
+
+ [hash_map_new_with_capacity_fwd_def] Definition
+
+ ⊢ ∀capacity max_load_dividend max_load_divisor.
+ hash_map_new_with_capacity_fwd capacity max_load_dividend
+ max_load_divisor =
+ (let
+ v = vec_new
+ in
+ do
+ slots <- hash_map_allocate_slots_fwd v capacity;
+ i <- usize_mul capacity max_load_dividend;
+ i0 <- usize_div i max_load_divisor;
+ Return
+ <|hash_map_num_entries := int_to_usize 0;
+ hash_map_max_load_factor :=
+ (max_load_dividend,max_load_divisor);
+ hash_map_max_load := i0; hash_map_slots := slots|>
+ od)
+
+ [hash_map_remove_back_def] Definition
+
+ ⊢ ∀self key.
+ hash_map_remove_back self key =
+ do
+ hash <- hash_key_fwd key;
+ i <<- vec_len self.hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hash_map_slots hash_mod;
+ x <- hash_map_remove_from_list_fwd key l;
+ case x of
+ NONE =>
+ do
+ l0 <- hash_map_remove_from_list_back key l;
+ v <- vec_index_mut_back self.hash_map_slots hash_mod l0;
+ Return (self with hash_map_slots := v)
+ od
+ | SOME x0 =>
+ do
+ i0 <- usize_sub self.hash_map_num_entries (int_to_usize 1);
+ l0 <- hash_map_remove_from_list_back key l;
+ v <- vec_index_mut_back self.hash_map_slots hash_mod l0;
+ Return
+ (self with
+ <|hash_map_num_entries := i0; hash_map_slots := v|>)
+ od
+ od
+
+ [hash_map_remove_from_list_back_def] Definition
+
+ ⊢ ∀key ls.
+ hash_map_remove_from_list_back key ls =
+ hash_map_remove_from_list_loop_back key ls
+
+ [hash_map_remove_from_list_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hash_map_remove_from_list_fwd key ls =
+ hash_map_remove_from_list_loop_fwd key ls
+
+ [hash_map_remove_from_list_loop_back_def] Definition
+
+ ⊢ ∀key ls.
+ hash_map_remove_from_list_loop_back key ls =
+ case ls of
+ ListCons ckey t tl =>
+ if ckey = key then
+ (let
+ mv_ls = mem_replace_fwd (ListCons ckey t tl) ListNil
+ in
+ case mv_ls of
+ ListCons i cvalue tl0 => Return tl0
+ | ListNil => Fail Failure)
+ else
+ do
+ tl0 <- hash_map_remove_from_list_loop_back key tl;
+ Return (ListCons ckey t tl0)
+ od
+ | ListNil => Return ListNil
+
+ [hash_map_remove_from_list_loop_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hash_map_remove_from_list_loop_fwd key ls =
+ case ls of
+ ListCons ckey t tl =>
+ if ckey = key then
+ (let
+ mv_ls = mem_replace_fwd (ListCons ckey t tl) ListNil
+ in
+ case mv_ls of
+ ListCons i cvalue tl0 => Return (SOME cvalue)
+ | ListNil => Fail Failure)
+ else hash_map_remove_from_list_loop_fwd key tl
+ | ListNil => Return NONE
+
+ [hash_map_remove_fwd_def] Definition
+
+ ⊢ ∀self key.
+ hash_map_remove_fwd self key =
+ do
+ hash <- hash_key_fwd key;
+ i <<- vec_len self.hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hash_map_slots hash_mod;
+ x <- hash_map_remove_from_list_fwd key l;
+ case x of
+ NONE => Return NONE
+ | SOME x0 =>
+ monad_ignore_bind
+ (usize_sub self.hash_map_num_entries (int_to_usize 1))
+ (Return (SOME x0))
+ od
+
+ [hash_map_try_resize_fwd_back_def] Definition
+
+ ⊢ ∀self.
+ hash_map_try_resize_fwd_back self =
+ do
+ max_usize <- mk_usize (u32_to_int core_num_u32_max_c);
+ capacity <<- vec_len self.hash_map_slots;
+ n1 <- usize_div max_usize (int_to_usize 2);
+ (i,i0) <<- self.hash_map_max_load_factor;
+ i1 <- usize_div n1 i;
+ if usize_le capacity i1 then
+ do
+ i2 <- usize_mul capacity (int_to_usize 2);
+ ntable <- hash_map_new_with_capacity_fwd i2 i i0;
+ (ntable0,_) <-
+ hash_map_move_elements_fwd_back ntable
+ self.hash_map_slots (int_to_usize 0);
+ Return
+ (ntable0 with
+ <|hash_map_num_entries := self.hash_map_num_entries;
+ hash_map_max_load_factor := (i,i0)|>)
+ od
+ else Return (self with hash_map_max_load_factor := (i,i0))
+ od
+
+ [test1_fwd_def] Definition
+
+ ⊢ test1_fwd =
+ do
+ hm <- hash_map_new_fwd;
+ hm0 <-
+ hash_map_insert_fwd_back hm (int_to_usize 0) (int_to_u64 42);
+ hm1 <-
+ hash_map_insert_fwd_back hm0 (int_to_usize 128) (int_to_u64 18);
+ hm2 <-
+ hash_map_insert_fwd_back hm1 (int_to_usize 1024)
+ (int_to_u64 138);
+ hm3 <-
+ hash_map_insert_fwd_back hm2 (int_to_usize 1056)
+ (int_to_u64 256);
+ i <- hash_map_get_fwd hm3 (int_to_usize 128);
+ if i ≠ int_to_u64 18 then Fail Failure
+ else
+ do
+ hm4 <-
+ hash_map_get_mut_back hm3 (int_to_usize 1024)
+ (int_to_u64 56);
+ i0 <- hash_map_get_fwd hm4 (int_to_usize 1024);
+ if i0 ≠ int_to_u64 56 then Fail Failure
+ else
+ do
+ x <- hash_map_remove_fwd hm4 (int_to_usize 1024);
+ case x of
+ NONE => Fail Failure
+ | SOME x0 =>
+ if x0 ≠ int_to_u64 56 then Fail Failure
+ else
+ do
+ hm5 <- hash_map_remove_back hm4 (int_to_usize 1024);
+ i1 <- hash_map_get_fwd hm5 (int_to_usize 0);
+ if i1 ≠ int_to_u64 42 then Fail Failure
+ else
+ do
+ i2 <- hash_map_get_fwd hm5 (int_to_usize 128);
+ if i2 ≠ int_to_u64 18 then Fail Failure
+ else
+ do
+ i3 <-
+ hash_map_get_fwd hm5 (int_to_usize 1056);
+ if i3 ≠ int_to_u64 256 then Fail Failure
+ else Return ()
+ od
+ od
+ od
+ od
+ od
+ od
+
+
+*)
+end
diff --git a/tests/hol4/hashmap/hashmap_TypesScript.sml b/tests/hol4/hashmap/hashmap_TypesScript.sml
new file mode 100644
index 00000000..a0865956
--- /dev/null
+++ b/tests/hol4/hashmap/hashmap_TypesScript.sml
@@ -0,0 +1,24 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [hashmap]: type definitions *)
+open primitivesLib divDefLib
+
+val _ = new_theory "hashmap_Types"
+
+
+Datatype:
+ (** [hashmap::List] *)
+ list_t = | ListCons usize 't list_t | ListNil
+End
+
+Datatype:
+ (** [hashmap::HashMap] *)
+ hash_map_t =
+ <|
+ hash_map_num_entries : usize;
+ hash_map_max_load_factor : (usize # usize);
+ hash_map_max_load : usize;
+ hash_map_slots : 't list_t vec;
+ |>
+End
+
+val _ = export_theory ()
diff --git a/tests/hol4/hashmap/hashmap_TypesTheory.sig b/tests/hol4/hashmap/hashmap_TypesTheory.sig
new file mode 100644
index 00000000..4ad77ac5
--- /dev/null
+++ b/tests/hol4/hashmap/hashmap_TypesTheory.sig
@@ -0,0 +1,494 @@
+signature hashmap_TypesTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val hash_map_t_TY_DEF : thm
+ val hash_map_t_case_def : thm
+ val hash_map_t_size_def : thm
+ val list_t_TY_DEF : thm
+ val list_t_case_def : thm
+ val list_t_size_def : thm
+ val recordtype_hash_map_t_seldef_hash_map_max_load_def : thm
+ val recordtype_hash_map_t_seldef_hash_map_max_load_factor_def : thm
+ val recordtype_hash_map_t_seldef_hash_map_max_load_factor_fupd_def : thm
+ val recordtype_hash_map_t_seldef_hash_map_max_load_fupd_def : thm
+ val recordtype_hash_map_t_seldef_hash_map_num_entries_def : thm
+ val recordtype_hash_map_t_seldef_hash_map_num_entries_fupd_def : thm
+ val recordtype_hash_map_t_seldef_hash_map_slots_def : thm
+ val recordtype_hash_map_t_seldef_hash_map_slots_fupd_def : thm
+
+ (* Theorems *)
+ val EXISTS_hash_map_t : thm
+ val FORALL_hash_map_t : thm
+ val datatype_hash_map_t : thm
+ val datatype_list_t : thm
+ val hash_map_t_11 : thm
+ val hash_map_t_Axiom : thm
+ val hash_map_t_accessors : thm
+ val hash_map_t_accfupds : thm
+ val hash_map_t_case_cong : thm
+ val hash_map_t_case_eq : thm
+ val hash_map_t_component_equality : thm
+ val hash_map_t_fn_updates : thm
+ val hash_map_t_fupdcanon : thm
+ val hash_map_t_fupdcanon_comp : thm
+ val hash_map_t_fupdfupds : thm
+ val hash_map_t_fupdfupds_comp : thm
+ val hash_map_t_induction : thm
+ val hash_map_t_literal_11 : thm
+ val hash_map_t_literal_nchotomy : thm
+ val hash_map_t_nchotomy : thm
+ val hash_map_t_updates_eq_literal : thm
+ val list_t_11 : thm
+ val list_t_Axiom : thm
+ val list_t_case_cong : thm
+ val list_t_case_eq : thm
+ val list_t_distinct : thm
+ val list_t_induction : thm
+ val list_t_nchotomy : thm
+
+ val hashmap_Types_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [divDef] Parent theory of "hashmap_Types"
+
+ [hash_map_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('hash_map_t').
+ (∀a0'.
+ (∃a0 a1 a2 a3.
+ a0' =
+ (λa0 a1 a2 a3.
+ ind_type$CONSTR 0 (a0,a1,a2,a3)
+ (λn. ind_type$BOTTOM)) a0 a1 a2 a3) ⇒
+ $var$('hash_map_t') a0') ⇒
+ $var$('hash_map_t') a0') rep
+
+ [hash_map_t_case_def] Definition
+
+ ⊢ ∀a0 a1 a2 a3 f.
+ hash_map_t_CASE (hash_map_t a0 a1 a2 a3) f = f a0 a1 a2 a3
+
+ [hash_map_t_size_def] Definition
+
+ ⊢ ∀f a0 a1 a2 a3.
+ hash_map_t_size f (hash_map_t a0 a1 a2 a3) =
+ 1 + pair_size (λv. 0) (λv. 0) a1
+
+ [list_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('list_t').
+ (∀a0'.
+ (∃a0 a1 a2.
+ a0' =
+ (λa0 a1 a2.
+ ind_type$CONSTR 0 (a0,a1)
+ (ind_type$FCONS a2 (λn. ind_type$BOTTOM)))
+ a0 a1 a2 ∧ $var$('list_t') a2) ∨
+ a0' =
+ ind_type$CONSTR (SUC 0) (ARB,ARB)
+ (λn. ind_type$BOTTOM) ⇒
+ $var$('list_t') a0') ⇒
+ $var$('list_t') a0') rep
+
+ [list_t_case_def] Definition
+
+ ⊢ (∀a0 a1 a2 f v. list_t_CASE (ListCons a0 a1 a2) f v = f a0 a1 a2) ∧
+ ∀f v. list_t_CASE ListNil f v = v
+
+ [list_t_size_def] Definition
+
+ ⊢ (∀f a0 a1 a2.
+ list_t_size f (ListCons a0 a1 a2) =
+ 1 + (f a1 + list_t_size f a2)) ∧ ∀f. list_t_size f ListNil = 0
+
+ [recordtype_hash_map_t_seldef_hash_map_max_load_def] Definition
+
+ ⊢ ∀u p u0 v. (hash_map_t u p u0 v).hash_map_max_load = u0
+
+ [recordtype_hash_map_t_seldef_hash_map_max_load_factor_def] Definition
+
+ ⊢ ∀u p u0 v. (hash_map_t u p u0 v).hash_map_max_load_factor = p
+
+ [recordtype_hash_map_t_seldef_hash_map_max_load_factor_fupd_def] Definition
+
+ ⊢ ∀f u p u0 v.
+ hash_map_t u p u0 v with hash_map_max_load_factor updated_by f =
+ hash_map_t u (f p) u0 v
+
+ [recordtype_hash_map_t_seldef_hash_map_max_load_fupd_def] Definition
+
+ ⊢ ∀f u p u0 v.
+ hash_map_t u p u0 v with hash_map_max_load updated_by f =
+ hash_map_t u p (f u0) v
+
+ [recordtype_hash_map_t_seldef_hash_map_num_entries_def] Definition
+
+ ⊢ ∀u p u0 v. (hash_map_t u p u0 v).hash_map_num_entries = u
+
+ [recordtype_hash_map_t_seldef_hash_map_num_entries_fupd_def] Definition
+
+ ⊢ ∀f u p u0 v.
+ hash_map_t u p u0 v with hash_map_num_entries updated_by f =
+ hash_map_t (f u) p u0 v
+
+ [recordtype_hash_map_t_seldef_hash_map_slots_def] Definition
+
+ ⊢ ∀u p u0 v. (hash_map_t u p u0 v).hash_map_slots = v
+
+ [recordtype_hash_map_t_seldef_hash_map_slots_fupd_def] Definition
+
+ ⊢ ∀f u p u0 v.
+ hash_map_t u p u0 v with hash_map_slots updated_by f =
+ hash_map_t u p u0 (f v)
+
+ [EXISTS_hash_map_t] Theorem
+
+ ⊢ ∀P. (∃h. P h) ⇔
+ ∃u0 p u v.
+ P
+ <|hash_map_num_entries := u0;
+ hash_map_max_load_factor := p; hash_map_max_load := u;
+ hash_map_slots := v|>
+
+ [FORALL_hash_map_t] Theorem
+
+ ⊢ ∀P. (∀h. P h) ⇔
+ ∀u0 p u v.
+ P
+ <|hash_map_num_entries := u0;
+ hash_map_max_load_factor := p; hash_map_max_load := u;
+ hash_map_slots := v|>
+
+ [datatype_hash_map_t] Theorem
+
+ ⊢ DATATYPE
+ (record hash_map_t hash_map_num_entries hash_map_max_load_factor
+ hash_map_max_load hash_map_slots)
+
+ [datatype_list_t] Theorem
+
+ ⊢ DATATYPE (list_t ListCons ListNil)
+
+ [hash_map_t_11] Theorem
+
+ ⊢ ∀a0 a1 a2 a3 a0' a1' a2' a3'.
+ hash_map_t a0 a1 a2 a3 = hash_map_t a0' a1' a2' a3' ⇔
+ a0 = a0' ∧ a1 = a1' ∧ a2 = a2' ∧ a3 = a3'
+
+ [hash_map_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a0 a1 a2 a3. fn (hash_map_t a0 a1 a2 a3) = f a0 a1 a2 a3
+
+ [hash_map_t_accessors] Theorem
+
+ ⊢ (∀u p u0 v. (hash_map_t u p u0 v).hash_map_num_entries = u) ∧
+ (∀u p u0 v. (hash_map_t u p u0 v).hash_map_max_load_factor = p) ∧
+ (∀u p u0 v. (hash_map_t u p u0 v).hash_map_max_load = u0) ∧
+ ∀u p u0 v. (hash_map_t u p u0 v).hash_map_slots = v
+
+ [hash_map_t_accfupds] Theorem
+
+ ⊢ (∀h f.
+ (h with hash_map_max_load_factor updated_by f).
+ hash_map_num_entries =
+ h.hash_map_num_entries) ∧
+ (∀h f.
+ (h with hash_map_max_load updated_by f).hash_map_num_entries =
+ h.hash_map_num_entries) ∧
+ (∀h f.
+ (h with hash_map_slots updated_by f).hash_map_num_entries =
+ h.hash_map_num_entries) ∧
+ (∀h f.
+ (h with hash_map_num_entries updated_by f).
+ hash_map_max_load_factor =
+ h.hash_map_max_load_factor) ∧
+ (∀h f.
+ (h with hash_map_max_load updated_by f).hash_map_max_load_factor =
+ h.hash_map_max_load_factor) ∧
+ (∀h f.
+ (h with hash_map_slots updated_by f).hash_map_max_load_factor =
+ h.hash_map_max_load_factor) ∧
+ (∀h f.
+ (h with hash_map_num_entries updated_by f).hash_map_max_load =
+ h.hash_map_max_load) ∧
+ (∀h f.
+ (h with hash_map_max_load_factor updated_by f).hash_map_max_load =
+ h.hash_map_max_load) ∧
+ (∀h f.
+ (h with hash_map_slots updated_by f).hash_map_max_load =
+ h.hash_map_max_load) ∧
+ (∀h f.
+ (h with hash_map_num_entries updated_by f).hash_map_slots =
+ h.hash_map_slots) ∧
+ (∀h f.
+ (h with hash_map_max_load_factor updated_by f).hash_map_slots =
+ h.hash_map_slots) ∧
+ (∀h f.
+ (h with hash_map_max_load updated_by f).hash_map_slots =
+ h.hash_map_slots) ∧
+ (∀h f.
+ (h with hash_map_num_entries updated_by f).hash_map_num_entries =
+ f h.hash_map_num_entries) ∧
+ (∀h f.
+ (h with hash_map_max_load_factor updated_by f).
+ hash_map_max_load_factor =
+ f h.hash_map_max_load_factor) ∧
+ (∀h f.
+ (h with hash_map_max_load updated_by f).hash_map_max_load =
+ f h.hash_map_max_load) ∧
+ ∀h f.
+ (h with hash_map_slots updated_by f).hash_map_slots =
+ f h.hash_map_slots
+
+ [hash_map_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧
+ (∀a0 a1 a2 a3.
+ M' = hash_map_t a0 a1 a2 a3 ⇒ f a0 a1 a2 a3 = f' a0 a1 a2 a3) ⇒
+ hash_map_t_CASE M f = hash_map_t_CASE M' f'
+
+ [hash_map_t_case_eq] Theorem
+
+ ⊢ hash_map_t_CASE x f = v ⇔
+ ∃u p u0 v'. x = hash_map_t u p u0 v' ∧ f u p u0 v' = v
+
+ [hash_map_t_component_equality] Theorem
+
+ ⊢ ∀h1 h2.
+ h1 = h2 ⇔
+ h1.hash_map_num_entries = h2.hash_map_num_entries ∧
+ h1.hash_map_max_load_factor = h2.hash_map_max_load_factor ∧
+ h1.hash_map_max_load = h2.hash_map_max_load ∧
+ h1.hash_map_slots = h2.hash_map_slots
+
+ [hash_map_t_fn_updates] Theorem
+
+ ⊢ (∀f u p u0 v.
+ hash_map_t u p u0 v with hash_map_num_entries updated_by f =
+ hash_map_t (f u) p u0 v) ∧
+ (∀f u p u0 v.
+ hash_map_t u p u0 v with hash_map_max_load_factor updated_by f =
+ hash_map_t u (f p) u0 v) ∧
+ (∀f u p u0 v.
+ hash_map_t u p u0 v with hash_map_max_load updated_by f =
+ hash_map_t u p (f u0) v) ∧
+ ∀f u p u0 v.
+ hash_map_t u p u0 v with hash_map_slots updated_by f =
+ hash_map_t u p u0 (f v)
+
+ [hash_map_t_fupdcanon] Theorem
+
+ ⊢ (∀h g f.
+ h with
+ <|hash_map_max_load_factor updated_by f;
+ hash_map_num_entries updated_by g|> =
+ h with
+ <|hash_map_num_entries updated_by g;
+ hash_map_max_load_factor updated_by f|>) ∧
+ (∀h g f.
+ h with
+ <|hash_map_max_load updated_by f;
+ hash_map_num_entries updated_by g|> =
+ h with
+ <|hash_map_num_entries updated_by g;
+ hash_map_max_load updated_by f|>) ∧
+ (∀h g f.
+ h with
+ <|hash_map_max_load updated_by f;
+ hash_map_max_load_factor updated_by g|> =
+ h with
+ <|hash_map_max_load_factor updated_by g;
+ hash_map_max_load updated_by f|>) ∧
+ (∀h g f.
+ h with
+ <|hash_map_slots updated_by f;
+ hash_map_num_entries updated_by g|> =
+ h with
+ <|hash_map_num_entries updated_by g;
+ hash_map_slots updated_by f|>) ∧
+ (∀h g f.
+ h with
+ <|hash_map_slots updated_by f;
+ hash_map_max_load_factor updated_by g|> =
+ h with
+ <|hash_map_max_load_factor updated_by g;
+ hash_map_slots updated_by f|>) ∧
+ ∀h g f.
+ h with
+ <|hash_map_slots updated_by f; hash_map_max_load updated_by g|> =
+ h with
+ <|hash_map_max_load updated_by g; hash_map_slots updated_by f|>
+
+ [hash_map_t_fupdcanon_comp] Theorem
+
+ ⊢ ((∀g f.
+ hash_map_max_load_factor_fupd f ∘ hash_map_num_entries_fupd g =
+ hash_map_num_entries_fupd g ∘ hash_map_max_load_factor_fupd f) ∧
+ ∀h g f.
+ hash_map_max_load_factor_fupd f ∘ hash_map_num_entries_fupd g ∘
+ h =
+ hash_map_num_entries_fupd g ∘ hash_map_max_load_factor_fupd f ∘
+ h) ∧
+ ((∀g f.
+ hash_map_max_load_fupd f ∘ hash_map_num_entries_fupd g =
+ hash_map_num_entries_fupd g ∘ hash_map_max_load_fupd f) ∧
+ ∀h g f.
+ hash_map_max_load_fupd f ∘ hash_map_num_entries_fupd g ∘ h =
+ hash_map_num_entries_fupd g ∘ hash_map_max_load_fupd f ∘ h) ∧
+ ((∀g f.
+ hash_map_max_load_fupd f ∘ hash_map_max_load_factor_fupd g =
+ hash_map_max_load_factor_fupd g ∘ hash_map_max_load_fupd f) ∧
+ ∀h g f.
+ hash_map_max_load_fupd f ∘ hash_map_max_load_factor_fupd g ∘ h =
+ hash_map_max_load_factor_fupd g ∘ hash_map_max_load_fupd f ∘ h) ∧
+ ((∀g f.
+ hash_map_slots_fupd f ∘ hash_map_num_entries_fupd g =
+ hash_map_num_entries_fupd g ∘ hash_map_slots_fupd f) ∧
+ ∀h g f.
+ hash_map_slots_fupd f ∘ hash_map_num_entries_fupd g ∘ h =
+ hash_map_num_entries_fupd g ∘ hash_map_slots_fupd f ∘ h) ∧
+ ((∀g f.
+ hash_map_slots_fupd f ∘ hash_map_max_load_factor_fupd g =
+ hash_map_max_load_factor_fupd g ∘ hash_map_slots_fupd f) ∧
+ ∀h g f.
+ hash_map_slots_fupd f ∘ hash_map_max_load_factor_fupd g ∘ h =
+ hash_map_max_load_factor_fupd g ∘ hash_map_slots_fupd f ∘ h) ∧
+ (∀g f.
+ hash_map_slots_fupd f ∘ hash_map_max_load_fupd g =
+ hash_map_max_load_fupd g ∘ hash_map_slots_fupd f) ∧
+ ∀h g f.
+ hash_map_slots_fupd f ∘ hash_map_max_load_fupd g ∘ h =
+ hash_map_max_load_fupd g ∘ hash_map_slots_fupd f ∘ h
+
+ [hash_map_t_fupdfupds] Theorem
+
+ ⊢ (∀h g f.
+ h with
+ <|hash_map_num_entries updated_by f;
+ hash_map_num_entries updated_by g|> =
+ h with hash_map_num_entries updated_by f ∘ g) ∧
+ (∀h g f.
+ h with
+ <|hash_map_max_load_factor updated_by f;
+ hash_map_max_load_factor updated_by g|> =
+ h with hash_map_max_load_factor updated_by f ∘ g) ∧
+ (∀h g f.
+ h with
+ <|hash_map_max_load updated_by f;
+ hash_map_max_load updated_by g|> =
+ h with hash_map_max_load updated_by f ∘ g) ∧
+ ∀h g f.
+ h with
+ <|hash_map_slots updated_by f; hash_map_slots updated_by g|> =
+ h with hash_map_slots updated_by f ∘ g
+
+ [hash_map_t_fupdfupds_comp] Theorem
+
+ ⊢ ((∀g f.
+ hash_map_num_entries_fupd f ∘ hash_map_num_entries_fupd g =
+ hash_map_num_entries_fupd (f ∘ g)) ∧
+ ∀h g f.
+ hash_map_num_entries_fupd f ∘ hash_map_num_entries_fupd g ∘ h =
+ hash_map_num_entries_fupd (f ∘ g) ∘ h) ∧
+ ((∀g f.
+ hash_map_max_load_factor_fupd f ∘
+ hash_map_max_load_factor_fupd g =
+ hash_map_max_load_factor_fupd (f ∘ g)) ∧
+ ∀h g f.
+ hash_map_max_load_factor_fupd f ∘
+ hash_map_max_load_factor_fupd g ∘ h =
+ hash_map_max_load_factor_fupd (f ∘ g) ∘ h) ∧
+ ((∀g f.
+ hash_map_max_load_fupd f ∘ hash_map_max_load_fupd g =
+ hash_map_max_load_fupd (f ∘ g)) ∧
+ ∀h g f.
+ hash_map_max_load_fupd f ∘ hash_map_max_load_fupd g ∘ h =
+ hash_map_max_load_fupd (f ∘ g) ∘ h) ∧
+ (∀g f.
+ hash_map_slots_fupd f ∘ hash_map_slots_fupd g =
+ hash_map_slots_fupd (f ∘ g)) ∧
+ ∀h g f.
+ hash_map_slots_fupd f ∘ hash_map_slots_fupd g ∘ h =
+ hash_map_slots_fupd (f ∘ g) ∘ h
+
+ [hash_map_t_induction] Theorem
+
+ ⊢ ∀P. (∀u p u0 v. P (hash_map_t u p u0 v)) ⇒ ∀h. P h
+
+ [hash_map_t_literal_11] Theorem
+
+ ⊢ ∀u01 p1 u1 v1 u02 p2 u2 v2.
+ <|hash_map_num_entries := u01; hash_map_max_load_factor := p1;
+ hash_map_max_load := u1; hash_map_slots := v1|> =
+ <|hash_map_num_entries := u02; hash_map_max_load_factor := p2;
+ hash_map_max_load := u2; hash_map_slots := v2|> ⇔
+ u01 = u02 ∧ p1 = p2 ∧ u1 = u2 ∧ v1 = v2
+
+ [hash_map_t_literal_nchotomy] Theorem
+
+ ⊢ ∀h. ∃u0 p u v.
+ h =
+ <|hash_map_num_entries := u0; hash_map_max_load_factor := p;
+ hash_map_max_load := u; hash_map_slots := v|>
+
+ [hash_map_t_nchotomy] Theorem
+
+ ⊢ ∀hh. ∃u p u0 v. hh = hash_map_t u p u0 v
+
+ [hash_map_t_updates_eq_literal] Theorem
+
+ ⊢ ∀h u0 p u v.
+ h with
+ <|hash_map_num_entries := u0; hash_map_max_load_factor := p;
+ hash_map_max_load := u; hash_map_slots := v|> =
+ <|hash_map_num_entries := u0; hash_map_max_load_factor := p;
+ hash_map_max_load := u; hash_map_slots := v|>
+
+ [list_t_11] Theorem
+
+ ⊢ ∀a0 a1 a2 a0' a1' a2'.
+ ListCons a0 a1 a2 = ListCons a0' a1' a2' ⇔
+ a0 = a0' ∧ a1 = a1' ∧ a2 = a2'
+
+ [list_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1. ∃fn.
+ (∀a0 a1 a2. fn (ListCons a0 a1 a2) = f0 a0 a1 a2 (fn a2)) ∧
+ fn ListNil = f1
+
+ [list_t_case_cong] Theorem
+
+ ⊢ ∀M M' f v.
+ M = M' ∧
+ (∀a0 a1 a2. M' = ListCons a0 a1 a2 ⇒ f a0 a1 a2 = f' a0 a1 a2) ∧
+ (M' = ListNil ⇒ v = v') ⇒
+ list_t_CASE M f v = list_t_CASE M' f' v'
+
+ [list_t_case_eq] Theorem
+
+ ⊢ list_t_CASE x f v = v' ⇔
+ (∃u t l. x = ListCons u t l ∧ f u t l = v') ∨ x = ListNil ∧ v = v'
+
+ [list_t_distinct] Theorem
+
+ ⊢ ∀a2 a1 a0. ListCons a0 a1 a2 ≠ ListNil
+
+ [list_t_induction] Theorem
+
+ ⊢ ∀P. (∀l. P l ⇒ ∀t u. P (ListCons u t l)) ∧ P ListNil ⇒ ∀l. P l
+
+ [list_t_nchotomy] Theorem
+
+ ⊢ ∀ll. (∃u t l. ll = ListCons u t l) ∨ ll = ListNil
+
+
+*)
+end
diff --git a/tests/hol4/hashmap_on_disk/Holmakefile b/tests/hol4/hashmap_on_disk/Holmakefile
new file mode 100644
index 00000000..3c4b8973
--- /dev/null
+++ b/tests/hol4/hashmap_on_disk/Holmakefile
@@ -0,0 +1,5 @@
+# This file was automatically generated - modify ../Holmakefile.template instead
+INCLUDES = ../../../backends/hol4
+
+all: $(DEFAULT_TARGETS)
+.PHONY: all
diff --git a/tests/hol4/hashmap_on_disk/hashmapMain_FunsScript.sml b/tests/hol4/hashmap_on_disk/hashmapMain_FunsScript.sml
new file mode 100644
index 00000000..5a8f7ff8
--- /dev/null
+++ b/tests/hol4/hashmap_on_disk/hashmapMain_FunsScript.sml
@@ -0,0 +1,646 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [hashmap_main]: function definitions *)
+open primitivesLib divDefLib
+open hashmapMain_TypesTheory hashmapMain_OpaqueTheory
+
+val _ = new_theory "hashmapMain_Funs"
+
+
+val hashmap_hash_key_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::hash_key] *)
+ hashmap_hash_key_fwd (k : usize) : usize result =
+ Return k
+’
+
+val [hashmap_hash_map_allocate_slots_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::allocate_slots] *)
+ hashmap_hash_map_allocate_slots_loop_fwd
+ (slots : 't hashmap_list_t vec) (n : usize) :
+ 't hashmap_list_t vec result
+ =
+ if usize_gt n (int_to_usize 0)
+ then (
+ do
+ slots0 <- vec_push_back slots HashmapListNil;
+ n0 <- usize_sub n (int_to_usize 1);
+ hashmap_hash_map_allocate_slots_loop_fwd slots0 n0
+ od)
+ else Return slots
+’
+
+val hashmap_hash_map_allocate_slots_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::allocate_slots] *)
+ hashmap_hash_map_allocate_slots_fwd
+ (slots : 't hashmap_list_t vec) (n : usize) :
+ 't hashmap_list_t vec result
+ =
+ hashmap_hash_map_allocate_slots_loop_fwd slots n
+’
+
+val hashmap_hash_map_new_with_capacity_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::new_with_capacity] *)
+ hashmap_hash_map_new_with_capacity_fwd
+ (capacity : usize) (max_load_dividend : usize) (max_load_divisor : usize) :
+ 't hashmap_hash_map_t result
+ =
+ let v = vec_new in
+ do
+ slots <- hashmap_hash_map_allocate_slots_fwd v capacity;
+ i <- usize_mul capacity max_load_dividend;
+ i0 <- usize_div i max_load_divisor;
+ Return
+ (<|
+ hashmap_hash_map_num_entries := (int_to_usize 0);
+ hashmap_hash_map_max_load_factor :=
+ (max_load_dividend, max_load_divisor);
+ hashmap_hash_map_max_load := i0;
+ hashmap_hash_map_slots := slots
+ |>)
+ od
+’
+
+val hashmap_hash_map_new_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::new] *)
+ hashmap_hash_map_new_fwd : 't hashmap_hash_map_t result =
+ hashmap_hash_map_new_with_capacity_fwd (int_to_usize 32) (int_to_usize 4)
+ (int_to_usize 5)
+’
+
+val [hashmap_hash_map_clear_loop_fwd_back_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::clear] *)
+ hashmap_hash_map_clear_loop_fwd_back
+ (slots : 't hashmap_list_t vec) (i : usize) :
+ 't hashmap_list_t vec result
+ =
+ let i0 = vec_len slots in
+ if usize_lt i i0
+ then (
+ do
+ i1 <- usize_add i (int_to_usize 1);
+ slots0 <- vec_index_mut_back slots i HashmapListNil;
+ hashmap_hash_map_clear_loop_fwd_back slots0 i1
+ od)
+ else Return slots
+’
+
+val hashmap_hash_map_clear_fwd_back_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::clear] *)
+ hashmap_hash_map_clear_fwd_back
+ (self : 't hashmap_hash_map_t) : 't hashmap_hash_map_t result =
+ do
+ v <-
+ hashmap_hash_map_clear_loop_fwd_back self.hashmap_hash_map_slots
+ (int_to_usize 0);
+ Return
+ (self
+ with
+ <|
+ hashmap_hash_map_num_entries := (int_to_usize 0);
+ hashmap_hash_map_slots := v
+ |>)
+ od
+’
+
+val hashmap_hash_map_len_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::len] *)
+ hashmap_hash_map_len_fwd (self : 't hashmap_hash_map_t) : usize result =
+ Return self.hashmap_hash_map_num_entries
+’
+
+val [hashmap_hash_map_insert_in_list_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::insert_in_list] *)
+ hashmap_hash_map_insert_in_list_loop_fwd
+ (key : usize) (value : 't) (ls : 't hashmap_list_t) : bool result =
+ (case ls of
+ | HashmapListCons ckey cvalue tl =>
+ if ckey = key
+ then Return F
+ else hashmap_hash_map_insert_in_list_loop_fwd key value tl
+ | HashmapListNil => Return T)
+’
+
+val hashmap_hash_map_insert_in_list_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::insert_in_list] *)
+ hashmap_hash_map_insert_in_list_fwd
+ (key : usize) (value : 't) (ls : 't hashmap_list_t) : bool result =
+ hashmap_hash_map_insert_in_list_loop_fwd key value ls
+’
+
+val [hashmap_hash_map_insert_in_list_loop_back_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::insert_in_list] *)
+ hashmap_hash_map_insert_in_list_loop_back
+ (key : usize) (value : 't) (ls : 't hashmap_list_t) :
+ 't hashmap_list_t result
+ =
+ (case ls of
+ | HashmapListCons ckey cvalue tl =>
+ if ckey = key
+ then Return (HashmapListCons ckey value tl)
+ else (
+ do
+ tl0 <- hashmap_hash_map_insert_in_list_loop_back key value tl;
+ Return (HashmapListCons ckey cvalue tl0)
+ od)
+ | HashmapListNil =>
+ let l = HashmapListNil in Return (HashmapListCons key value l))
+’
+
+val hashmap_hash_map_insert_in_list_back_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::insert_in_list] *)
+ hashmap_hash_map_insert_in_list_back
+ (key : usize) (value : 't) (ls : 't hashmap_list_t) :
+ 't hashmap_list_t result
+ =
+ hashmap_hash_map_insert_in_list_loop_back key value ls
+’
+
+val hashmap_hash_map_insert_no_resize_fwd_back_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::insert_no_resize] *)
+ hashmap_hash_map_insert_no_resize_fwd_back
+ (self : 't hashmap_hash_map_t) (key : usize) (value : 't) :
+ 't hashmap_hash_map_t result
+ =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ let i = vec_len self.hashmap_hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hashmap_hash_map_slots hash_mod;
+ inserted <- hashmap_hash_map_insert_in_list_fwd key value l;
+ if inserted
+ then (
+ do
+ i0 <- usize_add self.hashmap_hash_map_num_entries (int_to_usize 1);
+ l0 <- hashmap_hash_map_insert_in_list_back key value l;
+ v <- vec_index_mut_back self.hashmap_hash_map_slots hash_mod l0;
+ Return
+ (self
+ with
+ <|
+ hashmap_hash_map_num_entries := i0; hashmap_hash_map_slots := v
+ |>)
+ od)
+ else (
+ do
+ l0 <- hashmap_hash_map_insert_in_list_back key value l;
+ v <- vec_index_mut_back self.hashmap_hash_map_slots hash_mod l0;
+ Return (self with <| hashmap_hash_map_slots := v |>)
+ od)
+ od
+ od
+’
+
+(** [core::num::u32::{9}::MAX] *)
+Definition core_num_u32_max_body_def:
+ core_num_u32_max_body : u32 result = Return (int_to_u32 4294967295)
+End
+Definition core_num_u32_max_c_def:
+ core_num_u32_max_c : u32 = get_return_value core_num_u32_max_body
+End
+
+val [hashmap_hash_map_move_elements_from_list_loop_fwd_back_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::move_elements_from_list] *)
+ hashmap_hash_map_move_elements_from_list_loop_fwd_back
+ (ntable : 't hashmap_hash_map_t) (ls : 't hashmap_list_t) :
+ 't hashmap_hash_map_t result
+ =
+ (case ls of
+ | HashmapListCons k v tl =>
+ do
+ ntable0 <- hashmap_hash_map_insert_no_resize_fwd_back ntable k v;
+ hashmap_hash_map_move_elements_from_list_loop_fwd_back ntable0 tl
+ od
+ | HashmapListNil => Return ntable)
+’
+
+val hashmap_hash_map_move_elements_from_list_fwd_back_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::move_elements_from_list] *)
+ hashmap_hash_map_move_elements_from_list_fwd_back
+ (ntable : 't hashmap_hash_map_t) (ls : 't hashmap_list_t) :
+ 't hashmap_hash_map_t result
+ =
+ hashmap_hash_map_move_elements_from_list_loop_fwd_back ntable ls
+’
+
+val [hashmap_hash_map_move_elements_loop_fwd_back_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::move_elements] *)
+ hashmap_hash_map_move_elements_loop_fwd_back
+ (ntable : 't hashmap_hash_map_t) (slots : 't hashmap_list_t vec)
+ (i : usize) :
+ ('t hashmap_hash_map_t # 't hashmap_list_t vec) result
+ =
+ let i0 = vec_len slots in
+ if usize_lt i i0
+ then (
+ do
+ l <- vec_index_mut_fwd slots i;
+ let ls = mem_replace_fwd l HashmapListNil in
+ do
+ ntable0 <- hashmap_hash_map_move_elements_from_list_fwd_back ntable ls;
+ i1 <- usize_add i (int_to_usize 1);
+ let l0 = mem_replace_back l HashmapListNil in
+ do
+ slots0 <- vec_index_mut_back slots i l0;
+ hashmap_hash_map_move_elements_loop_fwd_back ntable0 slots0 i1
+ od
+ od
+ od)
+ else Return (ntable, slots)
+’
+
+val hashmap_hash_map_move_elements_fwd_back_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::move_elements] *)
+ hashmap_hash_map_move_elements_fwd_back
+ (ntable : 't hashmap_hash_map_t) (slots : 't hashmap_list_t vec)
+ (i : usize) :
+ ('t hashmap_hash_map_t # 't hashmap_list_t vec) result
+ =
+ hashmap_hash_map_move_elements_loop_fwd_back ntable slots i
+’
+
+val hashmap_hash_map_try_resize_fwd_back_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::try_resize] *)
+ hashmap_hash_map_try_resize_fwd_back
+ (self : 't hashmap_hash_map_t) : 't hashmap_hash_map_t result =
+ do
+ max_usize <- mk_usize (u32_to_int core_num_u32_max_c);
+ let capacity = vec_len self.hashmap_hash_map_slots in
+ do
+ n1 <- usize_div max_usize (int_to_usize 2);
+ let (i, i0) = self.hashmap_hash_map_max_load_factor in
+ do
+ i1 <- usize_div n1 i;
+ if usize_le capacity i1
+ then (
+ do
+ i2 <- usize_mul capacity (int_to_usize 2);
+ ntable <- hashmap_hash_map_new_with_capacity_fwd i2 i i0;
+ (ntable0, _) <-
+ hashmap_hash_map_move_elements_fwd_back ntable
+ self.hashmap_hash_map_slots (int_to_usize 0);
+ Return
+ (ntable0
+ with
+ <|
+ hashmap_hash_map_num_entries := self.hashmap_hash_map_num_entries;
+ hashmap_hash_map_max_load_factor := (i, i0)
+ |>)
+ od)
+ else Return (self with <| hashmap_hash_map_max_load_factor := (i, i0) |>)
+ od
+ od
+ od
+’
+
+val hashmap_hash_map_insert_fwd_back_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::insert] *)
+ hashmap_hash_map_insert_fwd_back
+ (self : 't hashmap_hash_map_t) (key : usize) (value : 't) :
+ 't hashmap_hash_map_t result
+ =
+ do
+ self0 <- hashmap_hash_map_insert_no_resize_fwd_back self key value;
+ i <- hashmap_hash_map_len_fwd self0;
+ if usize_gt i self0.hashmap_hash_map_max_load
+ then hashmap_hash_map_try_resize_fwd_back self0
+ else Return self0
+ od
+’
+
+val [hashmap_hash_map_contains_key_in_list_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::contains_key_in_list] *)
+ hashmap_hash_map_contains_key_in_list_loop_fwd
+ (key : usize) (ls : 't hashmap_list_t) : bool result =
+ (case ls of
+ | HashmapListCons ckey t tl =>
+ if ckey = key
+ then Return T
+ else hashmap_hash_map_contains_key_in_list_loop_fwd key tl
+ | HashmapListNil => Return F)
+’
+
+val hashmap_hash_map_contains_key_in_list_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::contains_key_in_list] *)
+ hashmap_hash_map_contains_key_in_list_fwd
+ (key : usize) (ls : 't hashmap_list_t) : bool result =
+ hashmap_hash_map_contains_key_in_list_loop_fwd key ls
+’
+
+val hashmap_hash_map_contains_key_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::contains_key] *)
+ hashmap_hash_map_contains_key_fwd
+ (self : 't hashmap_hash_map_t) (key : usize) : bool result =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ let i = vec_len self.hashmap_hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_fwd self.hashmap_hash_map_slots hash_mod;
+ hashmap_hash_map_contains_key_in_list_fwd key l
+ od
+ od
+’
+
+val [hashmap_hash_map_get_in_list_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::get_in_list] *)
+ hashmap_hash_map_get_in_list_loop_fwd
+ (key : usize) (ls : 't hashmap_list_t) : 't result =
+ (case ls of
+ | HashmapListCons ckey cvalue tl =>
+ if ckey = key
+ then Return cvalue
+ else hashmap_hash_map_get_in_list_loop_fwd key tl
+ | HashmapListNil => Fail Failure)
+’
+
+val hashmap_hash_map_get_in_list_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::get_in_list] *)
+ hashmap_hash_map_get_in_list_fwd
+ (key : usize) (ls : 't hashmap_list_t) : 't result =
+ hashmap_hash_map_get_in_list_loop_fwd key ls
+’
+
+val hashmap_hash_map_get_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::get] *)
+ hashmap_hash_map_get_fwd
+ (self : 't hashmap_hash_map_t) (key : usize) : 't result =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ let i = vec_len self.hashmap_hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_fwd self.hashmap_hash_map_slots hash_mod;
+ hashmap_hash_map_get_in_list_fwd key l
+ od
+ od
+’
+
+val [hashmap_hash_map_get_mut_in_list_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::get_mut_in_list] *)
+ hashmap_hash_map_get_mut_in_list_loop_fwd
+ (ls : 't hashmap_list_t) (key : usize) : 't result =
+ (case ls of
+ | HashmapListCons ckey cvalue tl =>
+ if ckey = key
+ then Return cvalue
+ else hashmap_hash_map_get_mut_in_list_loop_fwd tl key
+ | HashmapListNil => Fail Failure)
+’
+
+val hashmap_hash_map_get_mut_in_list_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::get_mut_in_list] *)
+ hashmap_hash_map_get_mut_in_list_fwd
+ (ls : 't hashmap_list_t) (key : usize) : 't result =
+ hashmap_hash_map_get_mut_in_list_loop_fwd ls key
+’
+
+val [hashmap_hash_map_get_mut_in_list_loop_back_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::get_mut_in_list] *)
+ hashmap_hash_map_get_mut_in_list_loop_back
+ (ls : 't hashmap_list_t) (key : usize) (ret : 't) :
+ 't hashmap_list_t result
+ =
+ (case ls of
+ | HashmapListCons ckey cvalue tl =>
+ if ckey = key
+ then Return (HashmapListCons ckey ret tl)
+ else (
+ do
+ tl0 <- hashmap_hash_map_get_mut_in_list_loop_back tl key ret;
+ Return (HashmapListCons ckey cvalue tl0)
+ od)
+ | HashmapListNil => Fail Failure)
+’
+
+val hashmap_hash_map_get_mut_in_list_back_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::get_mut_in_list] *)
+ hashmap_hash_map_get_mut_in_list_back
+ (ls : 't hashmap_list_t) (key : usize) (ret : 't) :
+ 't hashmap_list_t result
+ =
+ hashmap_hash_map_get_mut_in_list_loop_back ls key ret
+’
+
+val hashmap_hash_map_get_mut_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::get_mut] *)
+ hashmap_hash_map_get_mut_fwd
+ (self : 't hashmap_hash_map_t) (key : usize) : 't result =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ let i = vec_len self.hashmap_hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hashmap_hash_map_slots hash_mod;
+ hashmap_hash_map_get_mut_in_list_fwd l key
+ od
+ od
+’
+
+val hashmap_hash_map_get_mut_back_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::get_mut] *)
+ hashmap_hash_map_get_mut_back
+ (self : 't hashmap_hash_map_t) (key : usize) (ret : 't) :
+ 't hashmap_hash_map_t result
+ =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ let i = vec_len self.hashmap_hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hashmap_hash_map_slots hash_mod;
+ l0 <- hashmap_hash_map_get_mut_in_list_back l key ret;
+ v <- vec_index_mut_back self.hashmap_hash_map_slots hash_mod l0;
+ Return (self with <| hashmap_hash_map_slots := v |>)
+ od
+ od
+’
+
+val [hashmap_hash_map_remove_from_list_loop_fwd_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::remove_from_list] *)
+ hashmap_hash_map_remove_from_list_loop_fwd
+ (key : usize) (ls : 't hashmap_list_t) : 't option result =
+ (case ls of
+ | HashmapListCons ckey t tl =>
+ if ckey = key
+ then
+ let mv_ls = mem_replace_fwd (HashmapListCons ckey t tl) HashmapListNil
+ in
+ (case mv_ls of
+ | HashmapListCons i cvalue tl0 => Return (SOME cvalue)
+ | HashmapListNil => Fail Failure)
+ else hashmap_hash_map_remove_from_list_loop_fwd key tl
+ | HashmapListNil => Return NONE)
+’
+
+val hashmap_hash_map_remove_from_list_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::remove_from_list] *)
+ hashmap_hash_map_remove_from_list_fwd
+ (key : usize) (ls : 't hashmap_list_t) : 't option result =
+ hashmap_hash_map_remove_from_list_loop_fwd key ls
+’
+
+val [hashmap_hash_map_remove_from_list_loop_back_def] = DefineDiv ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::remove_from_list] *)
+ hashmap_hash_map_remove_from_list_loop_back
+ (key : usize) (ls : 't hashmap_list_t) : 't hashmap_list_t result =
+ (case ls of
+ | HashmapListCons ckey t tl =>
+ if ckey = key
+ then
+ let mv_ls = mem_replace_fwd (HashmapListCons ckey t tl) HashmapListNil
+ in
+ (case mv_ls of
+ | HashmapListCons i cvalue tl0 => Return tl0
+ | HashmapListNil => Fail Failure)
+ else (
+ do
+ tl0 <- hashmap_hash_map_remove_from_list_loop_back key tl;
+ Return (HashmapListCons ckey t tl0)
+ od)
+ | HashmapListNil => Return HashmapListNil)
+’
+
+val hashmap_hash_map_remove_from_list_back_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::remove_from_list] *)
+ hashmap_hash_map_remove_from_list_back
+ (key : usize) (ls : 't hashmap_list_t) : 't hashmap_list_t result =
+ hashmap_hash_map_remove_from_list_loop_back key ls
+’
+
+val hashmap_hash_map_remove_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::remove] *)
+ hashmap_hash_map_remove_fwd
+ (self : 't hashmap_hash_map_t) (key : usize) : 't option result =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ let i = vec_len self.hashmap_hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hashmap_hash_map_slots hash_mod;
+ x <- hashmap_hash_map_remove_from_list_fwd key l;
+ (case x of
+ | NONE => Return NONE
+ | SOME x0 =>
+ do
+ _ <- usize_sub self.hashmap_hash_map_num_entries (int_to_usize 1);
+ Return (SOME x0)
+ od)
+ od
+ od
+’
+
+val hashmap_hash_map_remove_back_def = Define ‘
+ (** [hashmap_main::hashmap::HashMap::{0}::remove] *)
+ hashmap_hash_map_remove_back
+ (self : 't hashmap_hash_map_t) (key : usize) :
+ 't hashmap_hash_map_t result
+ =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ let i = vec_len self.hashmap_hash_map_slots in
+ do
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hashmap_hash_map_slots hash_mod;
+ x <- hashmap_hash_map_remove_from_list_fwd key l;
+ (case x of
+ | NONE =>
+ do
+ l0 <- hashmap_hash_map_remove_from_list_back key l;
+ v <- vec_index_mut_back self.hashmap_hash_map_slots hash_mod l0;
+ Return (self with <| hashmap_hash_map_slots := v |>)
+ od
+ | SOME x0 =>
+ do
+ i0 <- usize_sub self.hashmap_hash_map_num_entries (int_to_usize 1);
+ l0 <- hashmap_hash_map_remove_from_list_back key l;
+ v <- vec_index_mut_back self.hashmap_hash_map_slots hash_mod l0;
+ Return
+ (self
+ with
+ <|
+ hashmap_hash_map_num_entries := i0; hashmap_hash_map_slots := v
+ |>)
+ od)
+ od
+ od
+’
+
+val hashmap_test1_fwd_def = Define ‘
+ (** [hashmap_main::hashmap::test1] *)
+ hashmap_test1_fwd : unit result =
+ do
+ hm <- hashmap_hash_map_new_fwd;
+ hm0 <-
+ hashmap_hash_map_insert_fwd_back hm (int_to_usize 0) (int_to_u64 42);
+ hm1 <-
+ hashmap_hash_map_insert_fwd_back hm0 (int_to_usize 128) (int_to_u64 18);
+ hm2 <-
+ hashmap_hash_map_insert_fwd_back hm1 (int_to_usize 1024) (int_to_u64 138);
+ hm3 <-
+ hashmap_hash_map_insert_fwd_back hm2 (int_to_usize 1056) (int_to_u64 256);
+ i <- hashmap_hash_map_get_fwd hm3 (int_to_usize 128);
+ if ~ (i = int_to_u64 18)
+ then Fail Failure
+ else (
+ do
+ hm4 <-
+ hashmap_hash_map_get_mut_back hm3 (int_to_usize 1024) (int_to_u64 56);
+ i0 <- hashmap_hash_map_get_fwd hm4 (int_to_usize 1024);
+ if ~ (i0 = int_to_u64 56)
+ then Fail Failure
+ else (
+ do
+ x <- hashmap_hash_map_remove_fwd hm4 (int_to_usize 1024);
+ (case x of
+ | NONE => Fail Failure
+ | SOME x0 =>
+ if ~ (x0 = int_to_u64 56)
+ then Fail Failure
+ else (
+ do
+ hm5 <- hashmap_hash_map_remove_back hm4 (int_to_usize 1024);
+ i1 <- hashmap_hash_map_get_fwd hm5 (int_to_usize 0);
+ if ~ (i1 = int_to_u64 42)
+ then Fail Failure
+ else (
+ do
+ i2 <- hashmap_hash_map_get_fwd hm5 (int_to_usize 128);
+ if ~ (i2 = int_to_u64 18)
+ then Fail Failure
+ else (
+ do
+ i3 <- hashmap_hash_map_get_fwd hm5 (int_to_usize 1056);
+ if ~ (i3 = int_to_u64 256) then Fail Failure else Return ()
+ od)
+ od)
+ od))
+ od)
+ od)
+ od
+’
+
+(** Unit test for [hashmap_main::hashmap::test1] *)
+val _ = assert_return (“hashmap_test1_fwd”)
+
+val insert_on_disk_fwd_def = Define ‘
+ (** [hashmap_main::insert_on_disk] *)
+ insert_on_disk_fwd
+ (key : usize) (value : u64) (st : state) : (state # unit) result =
+ do
+ (st0, hm) <- hashmap_utils_deserialize_fwd st;
+ hm0 <- hashmap_hash_map_insert_fwd_back hm key value;
+ (st1, _) <- hashmap_utils_serialize_fwd hm0 st0;
+ Return (st1, ())
+ od
+’
+
+val main_fwd_def = Define ‘
+ (** [hashmap_main::main] *)
+ main_fwd : unit result =
+ Return ()
+’
+
+(** Unit test for [hashmap_main::main] *)
+val _ = assert_return (“main_fwd”)
+
+val _ = export_theory ()
diff --git a/tests/hol4/hashmap_on_disk/hashmapMain_FunsTheory.sig b/tests/hol4/hashmap_on_disk/hashmapMain_FunsTheory.sig
new file mode 100644
index 00000000..1d24cb26
--- /dev/null
+++ b/tests/hol4/hashmap_on_disk/hashmapMain_FunsTheory.sig
@@ -0,0 +1,608 @@
+signature hashmapMain_FunsTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val core_num_u32_max_body_def : thm
+ val core_num_u32_max_c_def : thm
+ val hashmap_hash_key_fwd_def : thm
+ val hashmap_hash_map_allocate_slots_fwd_def : thm
+ val hashmap_hash_map_allocate_slots_loop_fwd_def : thm
+ val hashmap_hash_map_clear_fwd_back_def : thm
+ val hashmap_hash_map_clear_loop_fwd_back_def : thm
+ val hashmap_hash_map_contains_key_fwd_def : thm
+ val hashmap_hash_map_contains_key_in_list_fwd_def : thm
+ val hashmap_hash_map_contains_key_in_list_loop_fwd_def : thm
+ val hashmap_hash_map_get_fwd_def : thm
+ val hashmap_hash_map_get_in_list_fwd_def : thm
+ val hashmap_hash_map_get_in_list_loop_fwd_def : thm
+ val hashmap_hash_map_get_mut_back_def : thm
+ val hashmap_hash_map_get_mut_fwd_def : thm
+ val hashmap_hash_map_get_mut_in_list_back_def : thm
+ val hashmap_hash_map_get_mut_in_list_fwd_def : thm
+ val hashmap_hash_map_get_mut_in_list_loop_back_def : thm
+ val hashmap_hash_map_get_mut_in_list_loop_fwd_def : thm
+ val hashmap_hash_map_insert_fwd_back_def : thm
+ val hashmap_hash_map_insert_in_list_back_def : thm
+ val hashmap_hash_map_insert_in_list_fwd_def : thm
+ val hashmap_hash_map_insert_in_list_loop_back_def : thm
+ val hashmap_hash_map_insert_in_list_loop_fwd_def : thm
+ val hashmap_hash_map_insert_no_resize_fwd_back_def : thm
+ val hashmap_hash_map_len_fwd_def : thm
+ val hashmap_hash_map_move_elements_from_list_fwd_back_def : thm
+ val hashmap_hash_map_move_elements_from_list_loop_fwd_back_def : thm
+ val hashmap_hash_map_move_elements_fwd_back_def : thm
+ val hashmap_hash_map_move_elements_loop_fwd_back_def : thm
+ val hashmap_hash_map_new_fwd_def : thm
+ val hashmap_hash_map_new_with_capacity_fwd_def : thm
+ val hashmap_hash_map_remove_back_def : thm
+ val hashmap_hash_map_remove_from_list_back_def : thm
+ val hashmap_hash_map_remove_from_list_fwd_def : thm
+ val hashmap_hash_map_remove_from_list_loop_back_def : thm
+ val hashmap_hash_map_remove_from_list_loop_fwd_def : thm
+ val hashmap_hash_map_remove_fwd_def : thm
+ val hashmap_hash_map_try_resize_fwd_back_def : thm
+ val hashmap_test1_fwd_def : thm
+ val insert_on_disk_fwd_def : thm
+ val main_fwd_def : thm
+
+ val hashmapMain_Funs_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [hashmapMain_Opaque] Parent theory of "hashmapMain_Funs"
+
+ [core_num_u32_max_body_def] Definition
+
+ ⊢ core_num_u32_max_body = Return (int_to_u32 4294967295)
+
+ [core_num_u32_max_c_def] Definition
+
+ ⊢ core_num_u32_max_c = get_return_value core_num_u32_max_body
+
+ [hashmap_hash_key_fwd_def] Definition
+
+ ⊢ ∀k. hashmap_hash_key_fwd k = Return k
+
+ [hashmap_hash_map_allocate_slots_fwd_def] Definition
+
+ ⊢ ∀slots n.
+ hashmap_hash_map_allocate_slots_fwd slots n =
+ hashmap_hash_map_allocate_slots_loop_fwd slots n
+
+ [hashmap_hash_map_allocate_slots_loop_fwd_def] Definition
+
+ ⊢ ∀slots n.
+ hashmap_hash_map_allocate_slots_loop_fwd slots n =
+ if usize_gt n (int_to_usize 0) then
+ do
+ slots0 <- vec_push_back slots HashmapListNil;
+ n0 <- usize_sub n (int_to_usize 1);
+ hashmap_hash_map_allocate_slots_loop_fwd slots0 n0
+ od
+ else Return slots
+
+ [hashmap_hash_map_clear_fwd_back_def] Definition
+
+ ⊢ ∀self.
+ hashmap_hash_map_clear_fwd_back self =
+ do
+ v <-
+ hashmap_hash_map_clear_loop_fwd_back
+ self.hashmap_hash_map_slots (int_to_usize 0);
+ Return
+ (self with
+ <|hashmap_hash_map_num_entries := int_to_usize 0;
+ hashmap_hash_map_slots := v|>)
+ od
+
+ [hashmap_hash_map_clear_loop_fwd_back_def] Definition
+
+ ⊢ ∀slots i.
+ hashmap_hash_map_clear_loop_fwd_back slots i =
+ (let
+ i0 = vec_len slots
+ in
+ if usize_lt i i0 then
+ do
+ i1 <- usize_add i (int_to_usize 1);
+ slots0 <- vec_index_mut_back slots i HashmapListNil;
+ hashmap_hash_map_clear_loop_fwd_back slots0 i1
+ od
+ else Return slots)
+
+ [hashmap_hash_map_contains_key_fwd_def] Definition
+
+ ⊢ ∀self key.
+ hashmap_hash_map_contains_key_fwd self key =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ i <<- vec_len self.hashmap_hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_fwd self.hashmap_hash_map_slots hash_mod;
+ hashmap_hash_map_contains_key_in_list_fwd key l
+ od
+
+ [hashmap_hash_map_contains_key_in_list_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hashmap_hash_map_contains_key_in_list_fwd key ls =
+ hashmap_hash_map_contains_key_in_list_loop_fwd key ls
+
+ [hashmap_hash_map_contains_key_in_list_loop_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hashmap_hash_map_contains_key_in_list_loop_fwd key ls =
+ case ls of
+ HashmapListCons ckey t tl =>
+ if ckey = key then Return T
+ else hashmap_hash_map_contains_key_in_list_loop_fwd key tl
+ | HashmapListNil => Return F
+
+ [hashmap_hash_map_get_fwd_def] Definition
+
+ ⊢ ∀self key.
+ hashmap_hash_map_get_fwd self key =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ i <<- vec_len self.hashmap_hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_fwd self.hashmap_hash_map_slots hash_mod;
+ hashmap_hash_map_get_in_list_fwd key l
+ od
+
+ [hashmap_hash_map_get_in_list_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hashmap_hash_map_get_in_list_fwd key ls =
+ hashmap_hash_map_get_in_list_loop_fwd key ls
+
+ [hashmap_hash_map_get_in_list_loop_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hashmap_hash_map_get_in_list_loop_fwd key ls =
+ case ls of
+ HashmapListCons ckey cvalue tl =>
+ if ckey = key then Return cvalue
+ else hashmap_hash_map_get_in_list_loop_fwd key tl
+ | HashmapListNil => Fail Failure
+
+ [hashmap_hash_map_get_mut_back_def] Definition
+
+ ⊢ ∀self key ret.
+ hashmap_hash_map_get_mut_back self key ret =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ i <<- vec_len self.hashmap_hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hashmap_hash_map_slots hash_mod;
+ l0 <- hashmap_hash_map_get_mut_in_list_back l key ret;
+ v <- vec_index_mut_back self.hashmap_hash_map_slots hash_mod l0;
+ Return (self with hashmap_hash_map_slots := v)
+ od
+
+ [hashmap_hash_map_get_mut_fwd_def] Definition
+
+ ⊢ ∀self key.
+ hashmap_hash_map_get_mut_fwd self key =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ i <<- vec_len self.hashmap_hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hashmap_hash_map_slots hash_mod;
+ hashmap_hash_map_get_mut_in_list_fwd l key
+ od
+
+ [hashmap_hash_map_get_mut_in_list_back_def] Definition
+
+ ⊢ ∀ls key ret.
+ hashmap_hash_map_get_mut_in_list_back ls key ret =
+ hashmap_hash_map_get_mut_in_list_loop_back ls key ret
+
+ [hashmap_hash_map_get_mut_in_list_fwd_def] Definition
+
+ ⊢ ∀ls key.
+ hashmap_hash_map_get_mut_in_list_fwd ls key =
+ hashmap_hash_map_get_mut_in_list_loop_fwd ls key
+
+ [hashmap_hash_map_get_mut_in_list_loop_back_def] Definition
+
+ ⊢ ∀ls key ret.
+ hashmap_hash_map_get_mut_in_list_loop_back ls key ret =
+ case ls of
+ HashmapListCons ckey cvalue tl =>
+ if ckey = key then Return (HashmapListCons ckey ret tl)
+ else
+ do
+ tl0 <-
+ hashmap_hash_map_get_mut_in_list_loop_back tl key ret;
+ Return (HashmapListCons ckey cvalue tl0)
+ od
+ | HashmapListNil => Fail Failure
+
+ [hashmap_hash_map_get_mut_in_list_loop_fwd_def] Definition
+
+ ⊢ ∀ls key.
+ hashmap_hash_map_get_mut_in_list_loop_fwd ls key =
+ case ls of
+ HashmapListCons ckey cvalue tl =>
+ if ckey = key then Return cvalue
+ else hashmap_hash_map_get_mut_in_list_loop_fwd tl key
+ | HashmapListNil => Fail Failure
+
+ [hashmap_hash_map_insert_fwd_back_def] Definition
+
+ ⊢ ∀self key value.
+ hashmap_hash_map_insert_fwd_back self key value =
+ do
+ self0 <-
+ hashmap_hash_map_insert_no_resize_fwd_back self key value;
+ i <- hashmap_hash_map_len_fwd self0;
+ if usize_gt i self0.hashmap_hash_map_max_load then
+ hashmap_hash_map_try_resize_fwd_back self0
+ else Return self0
+ od
+
+ [hashmap_hash_map_insert_in_list_back_def] Definition
+
+ ⊢ ∀key value ls.
+ hashmap_hash_map_insert_in_list_back key value ls =
+ hashmap_hash_map_insert_in_list_loop_back key value ls
+
+ [hashmap_hash_map_insert_in_list_fwd_def] Definition
+
+ ⊢ ∀key value ls.
+ hashmap_hash_map_insert_in_list_fwd key value ls =
+ hashmap_hash_map_insert_in_list_loop_fwd key value ls
+
+ [hashmap_hash_map_insert_in_list_loop_back_def] Definition
+
+ ⊢ ∀key value ls.
+ hashmap_hash_map_insert_in_list_loop_back key value ls =
+ case ls of
+ HashmapListCons ckey cvalue tl =>
+ if ckey = key then Return (HashmapListCons ckey value tl)
+ else
+ do
+ tl0 <-
+ hashmap_hash_map_insert_in_list_loop_back key value tl;
+ Return (HashmapListCons ckey cvalue tl0)
+ od
+ | HashmapListNil =>
+ (let
+ l = HashmapListNil
+ in
+ Return (HashmapListCons key value l))
+
+ [hashmap_hash_map_insert_in_list_loop_fwd_def] Definition
+
+ ⊢ ∀key value ls.
+ hashmap_hash_map_insert_in_list_loop_fwd key value ls =
+ case ls of
+ HashmapListCons ckey cvalue tl =>
+ if ckey = key then Return F
+ else hashmap_hash_map_insert_in_list_loop_fwd key value tl
+ | HashmapListNil => Return T
+
+ [hashmap_hash_map_insert_no_resize_fwd_back_def] Definition
+
+ ⊢ ∀self key value.
+ hashmap_hash_map_insert_no_resize_fwd_back self key value =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ i <<- vec_len self.hashmap_hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hashmap_hash_map_slots hash_mod;
+ inserted <- hashmap_hash_map_insert_in_list_fwd key value l;
+ if inserted then
+ do
+ i0 <-
+ usize_add self.hashmap_hash_map_num_entries
+ (int_to_usize 1);
+ l0 <- hashmap_hash_map_insert_in_list_back key value l;
+ v <-
+ vec_index_mut_back self.hashmap_hash_map_slots hash_mod
+ l0;
+ Return
+ (self with
+ <|hashmap_hash_map_num_entries := i0;
+ hashmap_hash_map_slots := v|>)
+ od
+ else
+ do
+ l0 <- hashmap_hash_map_insert_in_list_back key value l;
+ v <-
+ vec_index_mut_back self.hashmap_hash_map_slots hash_mod
+ l0;
+ Return (self with hashmap_hash_map_slots := v)
+ od
+ od
+
+ [hashmap_hash_map_len_fwd_def] Definition
+
+ ⊢ ∀self.
+ hashmap_hash_map_len_fwd self =
+ Return self.hashmap_hash_map_num_entries
+
+ [hashmap_hash_map_move_elements_from_list_fwd_back_def] Definition
+
+ ⊢ ∀ntable ls.
+ hashmap_hash_map_move_elements_from_list_fwd_back ntable ls =
+ hashmap_hash_map_move_elements_from_list_loop_fwd_back ntable ls
+
+ [hashmap_hash_map_move_elements_from_list_loop_fwd_back_def] Definition
+
+ ⊢ ∀ntable ls.
+ hashmap_hash_map_move_elements_from_list_loop_fwd_back ntable ls =
+ case ls of
+ HashmapListCons k v tl =>
+ do
+ ntable0 <-
+ hashmap_hash_map_insert_no_resize_fwd_back ntable k v;
+ hashmap_hash_map_move_elements_from_list_loop_fwd_back
+ ntable0 tl
+ od
+ | HashmapListNil => Return ntable
+
+ [hashmap_hash_map_move_elements_fwd_back_def] Definition
+
+ ⊢ ∀ntable slots i.
+ hashmap_hash_map_move_elements_fwd_back ntable slots i =
+ hashmap_hash_map_move_elements_loop_fwd_back ntable slots i
+
+ [hashmap_hash_map_move_elements_loop_fwd_back_def] Definition
+
+ ⊢ ∀ntable slots i.
+ hashmap_hash_map_move_elements_loop_fwd_back ntable slots i =
+ (let
+ i0 = vec_len slots
+ in
+ if usize_lt i i0 then
+ do
+ l <- vec_index_mut_fwd slots i;
+ ls <<- mem_replace_fwd l HashmapListNil;
+ ntable0 <-
+ hashmap_hash_map_move_elements_from_list_fwd_back ntable
+ ls;
+ i1 <- usize_add i (int_to_usize 1);
+ l0 <<- mem_replace_back l HashmapListNil;
+ slots0 <- vec_index_mut_back slots i l0;
+ hashmap_hash_map_move_elements_loop_fwd_back ntable0
+ slots0 i1
+ od
+ else Return (ntable,slots))
+
+ [hashmap_hash_map_new_fwd_def] Definition
+
+ ⊢ hashmap_hash_map_new_fwd =
+ hashmap_hash_map_new_with_capacity_fwd (int_to_usize 32)
+ (int_to_usize 4) (int_to_usize 5)
+
+ [hashmap_hash_map_new_with_capacity_fwd_def] Definition
+
+ ⊢ ∀capacity max_load_dividend max_load_divisor.
+ hashmap_hash_map_new_with_capacity_fwd capacity max_load_dividend
+ max_load_divisor =
+ (let
+ v = vec_new
+ in
+ do
+ slots <- hashmap_hash_map_allocate_slots_fwd v capacity;
+ i <- usize_mul capacity max_load_dividend;
+ i0 <- usize_div i max_load_divisor;
+ Return
+ <|hashmap_hash_map_num_entries := int_to_usize 0;
+ hashmap_hash_map_max_load_factor :=
+ (max_load_dividend,max_load_divisor);
+ hashmap_hash_map_max_load := i0;
+ hashmap_hash_map_slots := slots|>
+ od)
+
+ [hashmap_hash_map_remove_back_def] Definition
+
+ ⊢ ∀self key.
+ hashmap_hash_map_remove_back self key =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ i <<- vec_len self.hashmap_hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hashmap_hash_map_slots hash_mod;
+ x <- hashmap_hash_map_remove_from_list_fwd key l;
+ case x of
+ NONE =>
+ do
+ l0 <- hashmap_hash_map_remove_from_list_back key l;
+ v <-
+ vec_index_mut_back self.hashmap_hash_map_slots hash_mod
+ l0;
+ Return (self with hashmap_hash_map_slots := v)
+ od
+ | SOME x0 =>
+ do
+ i0 <-
+ usize_sub self.hashmap_hash_map_num_entries
+ (int_to_usize 1);
+ l0 <- hashmap_hash_map_remove_from_list_back key l;
+ v <-
+ vec_index_mut_back self.hashmap_hash_map_slots hash_mod
+ l0;
+ Return
+ (self with
+ <|hashmap_hash_map_num_entries := i0;
+ hashmap_hash_map_slots := v|>)
+ od
+ od
+
+ [hashmap_hash_map_remove_from_list_back_def] Definition
+
+ ⊢ ∀key ls.
+ hashmap_hash_map_remove_from_list_back key ls =
+ hashmap_hash_map_remove_from_list_loop_back key ls
+
+ [hashmap_hash_map_remove_from_list_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hashmap_hash_map_remove_from_list_fwd key ls =
+ hashmap_hash_map_remove_from_list_loop_fwd key ls
+
+ [hashmap_hash_map_remove_from_list_loop_back_def] Definition
+
+ ⊢ ∀key ls.
+ hashmap_hash_map_remove_from_list_loop_back key ls =
+ case ls of
+ HashmapListCons ckey t tl =>
+ if ckey = key then
+ (let
+ mv_ls =
+ mem_replace_fwd (HashmapListCons ckey t tl)
+ HashmapListNil
+ in
+ case mv_ls of
+ HashmapListCons i cvalue tl0 => Return tl0
+ | HashmapListNil => Fail Failure)
+ else
+ do
+ tl0 <- hashmap_hash_map_remove_from_list_loop_back key tl;
+ Return (HashmapListCons ckey t tl0)
+ od
+ | HashmapListNil => Return HashmapListNil
+
+ [hashmap_hash_map_remove_from_list_loop_fwd_def] Definition
+
+ ⊢ ∀key ls.
+ hashmap_hash_map_remove_from_list_loop_fwd key ls =
+ case ls of
+ HashmapListCons ckey t tl =>
+ if ckey = key then
+ (let
+ mv_ls =
+ mem_replace_fwd (HashmapListCons ckey t tl)
+ HashmapListNil
+ in
+ case mv_ls of
+ HashmapListCons i cvalue tl0 => Return (SOME cvalue)
+ | HashmapListNil => Fail Failure)
+ else hashmap_hash_map_remove_from_list_loop_fwd key tl
+ | HashmapListNil => Return NONE
+
+ [hashmap_hash_map_remove_fwd_def] Definition
+
+ ⊢ ∀self key.
+ hashmap_hash_map_remove_fwd self key =
+ do
+ hash <- hashmap_hash_key_fwd key;
+ i <<- vec_len self.hashmap_hash_map_slots;
+ hash_mod <- usize_rem hash i;
+ l <- vec_index_mut_fwd self.hashmap_hash_map_slots hash_mod;
+ x <- hashmap_hash_map_remove_from_list_fwd key l;
+ case x of
+ NONE => Return NONE
+ | SOME x0 =>
+ monad_ignore_bind
+ (usize_sub self.hashmap_hash_map_num_entries
+ (int_to_usize 1)) (Return (SOME x0))
+ od
+
+ [hashmap_hash_map_try_resize_fwd_back_def] Definition
+
+ ⊢ ∀self.
+ hashmap_hash_map_try_resize_fwd_back self =
+ do
+ max_usize <- mk_usize (u32_to_int core_num_u32_max_c);
+ capacity <<- vec_len self.hashmap_hash_map_slots;
+ n1 <- usize_div max_usize (int_to_usize 2);
+ (i,i0) <<- self.hashmap_hash_map_max_load_factor;
+ i1 <- usize_div n1 i;
+ if usize_le capacity i1 then
+ do
+ i2 <- usize_mul capacity (int_to_usize 2);
+ ntable <- hashmap_hash_map_new_with_capacity_fwd i2 i i0;
+ (ntable0,_) <-
+ hashmap_hash_map_move_elements_fwd_back ntable
+ self.hashmap_hash_map_slots (int_to_usize 0);
+ Return
+ (ntable0 with
+ <|hashmap_hash_map_num_entries :=
+ self.hashmap_hash_map_num_entries;
+ hashmap_hash_map_max_load_factor := (i,i0)|>)
+ od
+ else
+ Return (self with hashmap_hash_map_max_load_factor := (i,i0))
+ od
+
+ [hashmap_test1_fwd_def] Definition
+
+ ⊢ hashmap_test1_fwd =
+ do
+ hm <- hashmap_hash_map_new_fwd;
+ hm0 <-
+ hashmap_hash_map_insert_fwd_back hm (int_to_usize 0)
+ (int_to_u64 42);
+ hm1 <-
+ hashmap_hash_map_insert_fwd_back hm0 (int_to_usize 128)
+ (int_to_u64 18);
+ hm2 <-
+ hashmap_hash_map_insert_fwd_back hm1 (int_to_usize 1024)
+ (int_to_u64 138);
+ hm3 <-
+ hashmap_hash_map_insert_fwd_back hm2 (int_to_usize 1056)
+ (int_to_u64 256);
+ i <- hashmap_hash_map_get_fwd hm3 (int_to_usize 128);
+ if i ≠ int_to_u64 18 then Fail Failure
+ else
+ do
+ hm4 <-
+ hashmap_hash_map_get_mut_back hm3 (int_to_usize 1024)
+ (int_to_u64 56);
+ i0 <- hashmap_hash_map_get_fwd hm4 (int_to_usize 1024);
+ if i0 ≠ int_to_u64 56 then Fail Failure
+ else
+ do
+ x <- hashmap_hash_map_remove_fwd hm4 (int_to_usize 1024);
+ case x of
+ NONE => Fail Failure
+ | SOME x0 =>
+ if x0 ≠ int_to_u64 56 then Fail Failure
+ else
+ do
+ hm5 <-
+ hashmap_hash_map_remove_back hm4
+ (int_to_usize 1024);
+ i1 <- hashmap_hash_map_get_fwd hm5 (int_to_usize 0);
+ if i1 ≠ int_to_u64 42 then Fail Failure
+ else
+ do
+ i2 <-
+ hashmap_hash_map_get_fwd hm5
+ (int_to_usize 128);
+ if i2 ≠ int_to_u64 18 then Fail Failure
+ else
+ do
+ i3 <-
+ hashmap_hash_map_get_fwd hm5
+ (int_to_usize 1056);
+ if i3 ≠ int_to_u64 256 then Fail Failure
+ else Return ()
+ od
+ od
+ od
+ od
+ od
+ od
+
+ [insert_on_disk_fwd_def] Definition
+
+ ⊢ ∀key value st.
+ insert_on_disk_fwd key value st =
+ do
+ (st0,hm) <- hashmap_utils_deserialize_fwd st;
+ hm0 <- hashmap_hash_map_insert_fwd_back hm key value;
+ (st1,_) <- hashmap_utils_serialize_fwd hm0 st0;
+ Return (st1,())
+ od
+
+ [main_fwd_def] Definition
+
+ ⊢ main_fwd = Return ()
+
+
+*)
+end
diff --git a/tests/hol4/hashmap_on_disk/hashmapMain_OpaqueScript.sml b/tests/hol4/hashmap_on_disk/hashmapMain_OpaqueScript.sml
new file mode 100644
index 00000000..5f6bcbb4
--- /dev/null
+++ b/tests/hol4/hashmap_on_disk/hashmapMain_OpaqueScript.sml
@@ -0,0 +1,15 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [hashmap_main]: opaque function definitions *)
+open primitivesLib divDefLib
+open hashmapMain_TypesTheory
+
+val _ = new_theory "hashmapMain_Opaque"
+
+
+val _ = new_constant ("hashmap_utils_deserialize_fwd",
+ “:state -> (state # u64 hashmap_hash_map_t) result”)
+
+val _ = new_constant ("hashmap_utils_serialize_fwd",
+ “:u64 hashmap_hash_map_t -> state -> (state # unit) result”)
+
+val _ = export_theory ()
diff --git a/tests/hol4/hashmap_on_disk/hashmapMain_OpaqueTheory.sig b/tests/hol4/hashmap_on_disk/hashmapMain_OpaqueTheory.sig
new file mode 100644
index 00000000..f7373609
--- /dev/null
+++ b/tests/hol4/hashmap_on_disk/hashmapMain_OpaqueTheory.sig
@@ -0,0 +1,11 @@
+signature hashmapMain_OpaqueTheory =
+sig
+ type thm = Thm.thm
+
+ val hashmapMain_Opaque_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [hashmapMain_Types] Parent theory of "hashmapMain_Opaque"
+
+
+*)
+end
diff --git a/tests/hol4/hashmap_on_disk/hashmapMain_TypesScript.sml b/tests/hol4/hashmap_on_disk/hashmapMain_TypesScript.sml
new file mode 100644
index 00000000..3f8ca9b9
--- /dev/null
+++ b/tests/hol4/hashmap_on_disk/hashmapMain_TypesScript.sml
@@ -0,0 +1,27 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [hashmap_main]: type definitions *)
+open primitivesLib divDefLib
+
+val _ = new_theory "hashmapMain_Types"
+
+
+Datatype:
+ (** [hashmap_main::hashmap::List] *)
+ hashmap_list_t = | HashmapListCons usize 't hashmap_list_t | HashmapListNil
+End
+
+Datatype:
+ (** [hashmap_main::hashmap::HashMap] *)
+ hashmap_hash_map_t =
+ <|
+ hashmap_hash_map_num_entries : usize;
+ hashmap_hash_map_max_load_factor : (usize # usize);
+ hashmap_hash_map_max_load : usize;
+ hashmap_hash_map_slots : 't hashmap_list_t vec;
+ |>
+End
+
+(** The state type used in the state-error monad *)
+val _ = new_type ("state", 0)
+
+val _ = export_theory ()
diff --git a/tests/hol4/hashmap_on_disk/hashmapMain_TypesTheory.sig b/tests/hol4/hashmap_on_disk/hashmapMain_TypesTheory.sig
new file mode 100644
index 00000000..bea7eb76
--- /dev/null
+++ b/tests/hol4/hashmap_on_disk/hashmapMain_TypesTheory.sig
@@ -0,0 +1,568 @@
+signature hashmapMain_TypesTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val hashmap_hash_map_t_TY_DEF : thm
+ val hashmap_hash_map_t_case_def : thm
+ val hashmap_hash_map_t_size_def : thm
+ val hashmap_list_t_TY_DEF : thm
+ val hashmap_list_t_case_def : thm
+ val hashmap_list_t_size_def : thm
+ val recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_max_load_def : thm
+ val recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_max_load_factor_def : thm
+ val recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_max_load_factor_fupd_def : thm
+ val recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_max_load_fupd_def : thm
+ val recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_num_entries_def : thm
+ val recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_num_entries_fupd_def : thm
+ val recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_slots_def : thm
+ val recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_slots_fupd_def : thm
+
+ (* Theorems *)
+ val EXISTS_hashmap_hash_map_t : thm
+ val FORALL_hashmap_hash_map_t : thm
+ val datatype_hashmap_hash_map_t : thm
+ val datatype_hashmap_list_t : thm
+ val hashmap_hash_map_t_11 : thm
+ val hashmap_hash_map_t_Axiom : thm
+ val hashmap_hash_map_t_accessors : thm
+ val hashmap_hash_map_t_accfupds : thm
+ val hashmap_hash_map_t_case_cong : thm
+ val hashmap_hash_map_t_case_eq : thm
+ val hashmap_hash_map_t_component_equality : thm
+ val hashmap_hash_map_t_fn_updates : thm
+ val hashmap_hash_map_t_fupdcanon : thm
+ val hashmap_hash_map_t_fupdcanon_comp : thm
+ val hashmap_hash_map_t_fupdfupds : thm
+ val hashmap_hash_map_t_fupdfupds_comp : thm
+ val hashmap_hash_map_t_induction : thm
+ val hashmap_hash_map_t_literal_11 : thm
+ val hashmap_hash_map_t_literal_nchotomy : thm
+ val hashmap_hash_map_t_nchotomy : thm
+ val hashmap_hash_map_t_updates_eq_literal : thm
+ val hashmap_list_t_11 : thm
+ val hashmap_list_t_Axiom : thm
+ val hashmap_list_t_case_cong : thm
+ val hashmap_list_t_case_eq : thm
+ val hashmap_list_t_distinct : thm
+ val hashmap_list_t_induction : thm
+ val hashmap_list_t_nchotomy : thm
+
+ val hashmapMain_Types_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [divDef] Parent theory of "hashmapMain_Types"
+
+ [hashmap_hash_map_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('hashmap_hash_map_t').
+ (∀a0'.
+ (∃a0 a1 a2 a3.
+ a0' =
+ (λa0 a1 a2 a3.
+ ind_type$CONSTR 0 (a0,a1,a2,a3)
+ (λn. ind_type$BOTTOM)) a0 a1 a2 a3) ⇒
+ $var$('hashmap_hash_map_t') a0') ⇒
+ $var$('hashmap_hash_map_t') a0') rep
+
+ [hashmap_hash_map_t_case_def] Definition
+
+ ⊢ ∀a0 a1 a2 a3 f.
+ hashmap_hash_map_t_CASE (hashmap_hash_map_t a0 a1 a2 a3) f =
+ f a0 a1 a2 a3
+
+ [hashmap_hash_map_t_size_def] Definition
+
+ ⊢ ∀f a0 a1 a2 a3.
+ hashmap_hash_map_t_size f (hashmap_hash_map_t a0 a1 a2 a3) =
+ 1 + pair_size (λv. 0) (λv. 0) a1
+
+ [hashmap_list_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('hashmap_list_t').
+ (∀a0'.
+ (∃a0 a1 a2.
+ a0' =
+ (λa0 a1 a2.
+ ind_type$CONSTR 0 (a0,a1)
+ (ind_type$FCONS a2 (λn. ind_type$BOTTOM)))
+ a0 a1 a2 ∧ $var$('hashmap_list_t') a2) ∨
+ a0' =
+ ind_type$CONSTR (SUC 0) (ARB,ARB)
+ (λn. ind_type$BOTTOM) ⇒
+ $var$('hashmap_list_t') a0') ⇒
+ $var$('hashmap_list_t') a0') rep
+
+ [hashmap_list_t_case_def] Definition
+
+ ⊢ (∀a0 a1 a2 f v.
+ hashmap_list_t_CASE (HashmapListCons a0 a1 a2) f v = f a0 a1 a2) ∧
+ ∀f v. hashmap_list_t_CASE HashmapListNil f v = v
+
+ [hashmap_list_t_size_def] Definition
+
+ ⊢ (∀f a0 a1 a2.
+ hashmap_list_t_size f (HashmapListCons a0 a1 a2) =
+ 1 + (f a1 + hashmap_list_t_size f a2)) ∧
+ ∀f. hashmap_list_t_size f HashmapListNil = 0
+
+ [recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_max_load_def] Definition
+
+ ⊢ ∀u p u0 v.
+ (hashmap_hash_map_t u p u0 v).hashmap_hash_map_max_load = u0
+
+ [recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_max_load_factor_def] Definition
+
+ ⊢ ∀u p u0 v.
+ (hashmap_hash_map_t u p u0 v).hashmap_hash_map_max_load_factor =
+ p
+
+ [recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_max_load_factor_fupd_def] Definition
+
+ ⊢ ∀f u p u0 v.
+ hashmap_hash_map_t u p u0 v with
+ hashmap_hash_map_max_load_factor updated_by f =
+ hashmap_hash_map_t u (f p) u0 v
+
+ [recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_max_load_fupd_def] Definition
+
+ ⊢ ∀f u p u0 v.
+ hashmap_hash_map_t u p u0 v with
+ hashmap_hash_map_max_load updated_by f =
+ hashmap_hash_map_t u p (f u0) v
+
+ [recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_num_entries_def] Definition
+
+ ⊢ ∀u p u0 v.
+ (hashmap_hash_map_t u p u0 v).hashmap_hash_map_num_entries = u
+
+ [recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_num_entries_fupd_def] Definition
+
+ ⊢ ∀f u p u0 v.
+ hashmap_hash_map_t u p u0 v with
+ hashmap_hash_map_num_entries updated_by f =
+ hashmap_hash_map_t (f u) p u0 v
+
+ [recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_slots_def] Definition
+
+ ⊢ ∀u p u0 v. (hashmap_hash_map_t u p u0 v).hashmap_hash_map_slots = v
+
+ [recordtype_hashmap_hash_map_t_seldef_hashmap_hash_map_slots_fupd_def] Definition
+
+ ⊢ ∀f u p u0 v.
+ hashmap_hash_map_t u p u0 v with
+ hashmap_hash_map_slots updated_by f =
+ hashmap_hash_map_t u p u0 (f v)
+
+ [EXISTS_hashmap_hash_map_t] Theorem
+
+ ⊢ ∀P. (∃h. P h) ⇔
+ ∃u0 p u v.
+ P
+ <|hashmap_hash_map_num_entries := u0;
+ hashmap_hash_map_max_load_factor := p;
+ hashmap_hash_map_max_load := u;
+ hashmap_hash_map_slots := v|>
+
+ [FORALL_hashmap_hash_map_t] Theorem
+
+ ⊢ ∀P. (∀h. P h) ⇔
+ ∀u0 p u v.
+ P
+ <|hashmap_hash_map_num_entries := u0;
+ hashmap_hash_map_max_load_factor := p;
+ hashmap_hash_map_max_load := u;
+ hashmap_hash_map_slots := v|>
+
+ [datatype_hashmap_hash_map_t] Theorem
+
+ ⊢ DATATYPE
+ (record hashmap_hash_map_t hashmap_hash_map_num_entries
+ hashmap_hash_map_max_load_factor hashmap_hash_map_max_load
+ hashmap_hash_map_slots)
+
+ [datatype_hashmap_list_t] Theorem
+
+ ⊢ DATATYPE (hashmap_list_t HashmapListCons HashmapListNil)
+
+ [hashmap_hash_map_t_11] Theorem
+
+ ⊢ ∀a0 a1 a2 a3 a0' a1' a2' a3'.
+ hashmap_hash_map_t a0 a1 a2 a3 =
+ hashmap_hash_map_t a0' a1' a2' a3' ⇔
+ a0 = a0' ∧ a1 = a1' ∧ a2 = a2' ∧ a3 = a3'
+
+ [hashmap_hash_map_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a0 a1 a2 a3.
+ fn (hashmap_hash_map_t a0 a1 a2 a3) = f a0 a1 a2 a3
+
+ [hashmap_hash_map_t_accessors] Theorem
+
+ ⊢ (∀u p u0 v.
+ (hashmap_hash_map_t u p u0 v).hashmap_hash_map_num_entries = u) ∧
+ (∀u p u0 v.
+ (hashmap_hash_map_t u p u0 v).hashmap_hash_map_max_load_factor =
+ p) ∧
+ (∀u p u0 v.
+ (hashmap_hash_map_t u p u0 v).hashmap_hash_map_max_load = u0) ∧
+ ∀u p u0 v. (hashmap_hash_map_t u p u0 v).hashmap_hash_map_slots = v
+
+ [hashmap_hash_map_t_accfupds] Theorem
+
+ ⊢ (∀h f.
+ (h with hashmap_hash_map_max_load_factor updated_by f).
+ hashmap_hash_map_num_entries =
+ h.hashmap_hash_map_num_entries) ∧
+ (∀h f.
+ (h with hashmap_hash_map_max_load updated_by f).
+ hashmap_hash_map_num_entries =
+ h.hashmap_hash_map_num_entries) ∧
+ (∀h f.
+ (h with hashmap_hash_map_slots updated_by f).
+ hashmap_hash_map_num_entries =
+ h.hashmap_hash_map_num_entries) ∧
+ (∀h f.
+ (h with hashmap_hash_map_num_entries updated_by f).
+ hashmap_hash_map_max_load_factor =
+ h.hashmap_hash_map_max_load_factor) ∧
+ (∀h f.
+ (h with hashmap_hash_map_max_load updated_by f).
+ hashmap_hash_map_max_load_factor =
+ h.hashmap_hash_map_max_load_factor) ∧
+ (∀h f.
+ (h with hashmap_hash_map_slots updated_by f).
+ hashmap_hash_map_max_load_factor =
+ h.hashmap_hash_map_max_load_factor) ∧
+ (∀h f.
+ (h with hashmap_hash_map_num_entries updated_by f).
+ hashmap_hash_map_max_load =
+ h.hashmap_hash_map_max_load) ∧
+ (∀h f.
+ (h with hashmap_hash_map_max_load_factor updated_by f).
+ hashmap_hash_map_max_load =
+ h.hashmap_hash_map_max_load) ∧
+ (∀h f.
+ (h with hashmap_hash_map_slots updated_by f).
+ hashmap_hash_map_max_load =
+ h.hashmap_hash_map_max_load) ∧
+ (∀h f.
+ (h with hashmap_hash_map_num_entries updated_by f).
+ hashmap_hash_map_slots =
+ h.hashmap_hash_map_slots) ∧
+ (∀h f.
+ (h with hashmap_hash_map_max_load_factor updated_by f).
+ hashmap_hash_map_slots =
+ h.hashmap_hash_map_slots) ∧
+ (∀h f.
+ (h with hashmap_hash_map_max_load updated_by f).
+ hashmap_hash_map_slots =
+ h.hashmap_hash_map_slots) ∧
+ (∀h f.
+ (h with hashmap_hash_map_num_entries updated_by f).
+ hashmap_hash_map_num_entries =
+ f h.hashmap_hash_map_num_entries) ∧
+ (∀h f.
+ (h with hashmap_hash_map_max_load_factor updated_by f).
+ hashmap_hash_map_max_load_factor =
+ f h.hashmap_hash_map_max_load_factor) ∧
+ (∀h f.
+ (h with hashmap_hash_map_max_load updated_by f).
+ hashmap_hash_map_max_load =
+ f h.hashmap_hash_map_max_load) ∧
+ ∀h f.
+ (h with hashmap_hash_map_slots updated_by f).
+ hashmap_hash_map_slots =
+ f h.hashmap_hash_map_slots
+
+ [hashmap_hash_map_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧
+ (∀a0 a1 a2 a3.
+ M' = hashmap_hash_map_t a0 a1 a2 a3 ⇒
+ f a0 a1 a2 a3 = f' a0 a1 a2 a3) ⇒
+ hashmap_hash_map_t_CASE M f = hashmap_hash_map_t_CASE M' f'
+
+ [hashmap_hash_map_t_case_eq] Theorem
+
+ ⊢ hashmap_hash_map_t_CASE x f = v ⇔
+ ∃u p u0 v'. x = hashmap_hash_map_t u p u0 v' ∧ f u p u0 v' = v
+
+ [hashmap_hash_map_t_component_equality] Theorem
+
+ ⊢ ∀h1 h2.
+ h1 = h2 ⇔
+ h1.hashmap_hash_map_num_entries = h2.hashmap_hash_map_num_entries ∧
+ h1.hashmap_hash_map_max_load_factor =
+ h2.hashmap_hash_map_max_load_factor ∧
+ h1.hashmap_hash_map_max_load = h2.hashmap_hash_map_max_load ∧
+ h1.hashmap_hash_map_slots = h2.hashmap_hash_map_slots
+
+ [hashmap_hash_map_t_fn_updates] Theorem
+
+ ⊢ (∀f u p u0 v.
+ hashmap_hash_map_t u p u0 v with
+ hashmap_hash_map_num_entries updated_by f =
+ hashmap_hash_map_t (f u) p u0 v) ∧
+ (∀f u p u0 v.
+ hashmap_hash_map_t u p u0 v with
+ hashmap_hash_map_max_load_factor updated_by f =
+ hashmap_hash_map_t u (f p) u0 v) ∧
+ (∀f u p u0 v.
+ hashmap_hash_map_t u p u0 v with
+ hashmap_hash_map_max_load updated_by f =
+ hashmap_hash_map_t u p (f u0) v) ∧
+ ∀f u p u0 v.
+ hashmap_hash_map_t u p u0 v with
+ hashmap_hash_map_slots updated_by f =
+ hashmap_hash_map_t u p u0 (f v)
+
+ [hashmap_hash_map_t_fupdcanon] Theorem
+
+ ⊢ (∀h g f.
+ h with
+ <|hashmap_hash_map_max_load_factor updated_by f;
+ hashmap_hash_map_num_entries updated_by g|> =
+ h with
+ <|hashmap_hash_map_num_entries updated_by g;
+ hashmap_hash_map_max_load_factor updated_by f|>) ∧
+ (∀h g f.
+ h with
+ <|hashmap_hash_map_max_load updated_by f;
+ hashmap_hash_map_num_entries updated_by g|> =
+ h with
+ <|hashmap_hash_map_num_entries updated_by g;
+ hashmap_hash_map_max_load updated_by f|>) ∧
+ (∀h g f.
+ h with
+ <|hashmap_hash_map_max_load updated_by f;
+ hashmap_hash_map_max_load_factor updated_by g|> =
+ h with
+ <|hashmap_hash_map_max_load_factor updated_by g;
+ hashmap_hash_map_max_load updated_by f|>) ∧
+ (∀h g f.
+ h with
+ <|hashmap_hash_map_slots updated_by f;
+ hashmap_hash_map_num_entries updated_by g|> =
+ h with
+ <|hashmap_hash_map_num_entries updated_by g;
+ hashmap_hash_map_slots updated_by f|>) ∧
+ (∀h g f.
+ h with
+ <|hashmap_hash_map_slots updated_by f;
+ hashmap_hash_map_max_load_factor updated_by g|> =
+ h with
+ <|hashmap_hash_map_max_load_factor updated_by g;
+ hashmap_hash_map_slots updated_by f|>) ∧
+ ∀h g f.
+ h with
+ <|hashmap_hash_map_slots updated_by f;
+ hashmap_hash_map_max_load updated_by g|> =
+ h with
+ <|hashmap_hash_map_max_load updated_by g;
+ hashmap_hash_map_slots updated_by f|>
+
+ [hashmap_hash_map_t_fupdcanon_comp] Theorem
+
+ ⊢ ((∀g f.
+ hashmap_hash_map_max_load_factor_fupd f ∘
+ hashmap_hash_map_num_entries_fupd g =
+ hashmap_hash_map_num_entries_fupd g ∘
+ hashmap_hash_map_max_load_factor_fupd f) ∧
+ ∀h g f.
+ hashmap_hash_map_max_load_factor_fupd f ∘
+ hashmap_hash_map_num_entries_fupd g ∘ h =
+ hashmap_hash_map_num_entries_fupd g ∘
+ hashmap_hash_map_max_load_factor_fupd f ∘ h) ∧
+ ((∀g f.
+ hashmap_hash_map_max_load_fupd f ∘
+ hashmap_hash_map_num_entries_fupd g =
+ hashmap_hash_map_num_entries_fupd g ∘
+ hashmap_hash_map_max_load_fupd f) ∧
+ ∀h g f.
+ hashmap_hash_map_max_load_fupd f ∘
+ hashmap_hash_map_num_entries_fupd g ∘ h =
+ hashmap_hash_map_num_entries_fupd g ∘
+ hashmap_hash_map_max_load_fupd f ∘ h) ∧
+ ((∀g f.
+ hashmap_hash_map_max_load_fupd f ∘
+ hashmap_hash_map_max_load_factor_fupd g =
+ hashmap_hash_map_max_load_factor_fupd g ∘
+ hashmap_hash_map_max_load_fupd f) ∧
+ ∀h g f.
+ hashmap_hash_map_max_load_fupd f ∘
+ hashmap_hash_map_max_load_factor_fupd g ∘ h =
+ hashmap_hash_map_max_load_factor_fupd g ∘
+ hashmap_hash_map_max_load_fupd f ∘ h) ∧
+ ((∀g f.
+ hashmap_hash_map_slots_fupd f ∘
+ hashmap_hash_map_num_entries_fupd g =
+ hashmap_hash_map_num_entries_fupd g ∘
+ hashmap_hash_map_slots_fupd f) ∧
+ ∀h g f.
+ hashmap_hash_map_slots_fupd f ∘
+ hashmap_hash_map_num_entries_fupd g ∘ h =
+ hashmap_hash_map_num_entries_fupd g ∘
+ hashmap_hash_map_slots_fupd f ∘ h) ∧
+ ((∀g f.
+ hashmap_hash_map_slots_fupd f ∘
+ hashmap_hash_map_max_load_factor_fupd g =
+ hashmap_hash_map_max_load_factor_fupd g ∘
+ hashmap_hash_map_slots_fupd f) ∧
+ ∀h g f.
+ hashmap_hash_map_slots_fupd f ∘
+ hashmap_hash_map_max_load_factor_fupd g ∘ h =
+ hashmap_hash_map_max_load_factor_fupd g ∘
+ hashmap_hash_map_slots_fupd f ∘ h) ∧
+ (∀g f.
+ hashmap_hash_map_slots_fupd f ∘ hashmap_hash_map_max_load_fupd g =
+ hashmap_hash_map_max_load_fupd g ∘ hashmap_hash_map_slots_fupd f) ∧
+ ∀h g f.
+ hashmap_hash_map_slots_fupd f ∘
+ hashmap_hash_map_max_load_fupd g ∘ h =
+ hashmap_hash_map_max_load_fupd g ∘
+ hashmap_hash_map_slots_fupd f ∘ h
+
+ [hashmap_hash_map_t_fupdfupds] Theorem
+
+ ⊢ (∀h g f.
+ h with
+ <|hashmap_hash_map_num_entries updated_by f;
+ hashmap_hash_map_num_entries updated_by g|> =
+ h with hashmap_hash_map_num_entries updated_by f ∘ g) ∧
+ (∀h g f.
+ h with
+ <|hashmap_hash_map_max_load_factor updated_by f;
+ hashmap_hash_map_max_load_factor updated_by g|> =
+ h with hashmap_hash_map_max_load_factor updated_by f ∘ g) ∧
+ (∀h g f.
+ h with
+ <|hashmap_hash_map_max_load updated_by f;
+ hashmap_hash_map_max_load updated_by g|> =
+ h with hashmap_hash_map_max_load updated_by f ∘ g) ∧
+ ∀h g f.
+ h with
+ <|hashmap_hash_map_slots updated_by f;
+ hashmap_hash_map_slots updated_by g|> =
+ h with hashmap_hash_map_slots updated_by f ∘ g
+
+ [hashmap_hash_map_t_fupdfupds_comp] Theorem
+
+ ⊢ ((∀g f.
+ hashmap_hash_map_num_entries_fupd f ∘
+ hashmap_hash_map_num_entries_fupd g =
+ hashmap_hash_map_num_entries_fupd (f ∘ g)) ∧
+ ∀h g f.
+ hashmap_hash_map_num_entries_fupd f ∘
+ hashmap_hash_map_num_entries_fupd g ∘ h =
+ hashmap_hash_map_num_entries_fupd (f ∘ g) ∘ h) ∧
+ ((∀g f.
+ hashmap_hash_map_max_load_factor_fupd f ∘
+ hashmap_hash_map_max_load_factor_fupd g =
+ hashmap_hash_map_max_load_factor_fupd (f ∘ g)) ∧
+ ∀h g f.
+ hashmap_hash_map_max_load_factor_fupd f ∘
+ hashmap_hash_map_max_load_factor_fupd g ∘ h =
+ hashmap_hash_map_max_load_factor_fupd (f ∘ g) ∘ h) ∧
+ ((∀g f.
+ hashmap_hash_map_max_load_fupd f ∘
+ hashmap_hash_map_max_load_fupd g =
+ hashmap_hash_map_max_load_fupd (f ∘ g)) ∧
+ ∀h g f.
+ hashmap_hash_map_max_load_fupd f ∘
+ hashmap_hash_map_max_load_fupd g ∘ h =
+ hashmap_hash_map_max_load_fupd (f ∘ g) ∘ h) ∧
+ (∀g f.
+ hashmap_hash_map_slots_fupd f ∘ hashmap_hash_map_slots_fupd g =
+ hashmap_hash_map_slots_fupd (f ∘ g)) ∧
+ ∀h g f.
+ hashmap_hash_map_slots_fupd f ∘ hashmap_hash_map_slots_fupd g ∘ h =
+ hashmap_hash_map_slots_fupd (f ∘ g) ∘ h
+
+ [hashmap_hash_map_t_induction] Theorem
+
+ ⊢ ∀P. (∀u p u0 v. P (hashmap_hash_map_t u p u0 v)) ⇒ ∀h. P h
+
+ [hashmap_hash_map_t_literal_11] Theorem
+
+ ⊢ ∀u01 p1 u1 v1 u02 p2 u2 v2.
+ <|hashmap_hash_map_num_entries := u01;
+ hashmap_hash_map_max_load_factor := p1;
+ hashmap_hash_map_max_load := u1; hashmap_hash_map_slots := v1|> =
+ <|hashmap_hash_map_num_entries := u02;
+ hashmap_hash_map_max_load_factor := p2;
+ hashmap_hash_map_max_load := u2; hashmap_hash_map_slots := v2|> ⇔
+ u01 = u02 ∧ p1 = p2 ∧ u1 = u2 ∧ v1 = v2
+
+ [hashmap_hash_map_t_literal_nchotomy] Theorem
+
+ ⊢ ∀h. ∃u0 p u v.
+ h =
+ <|hashmap_hash_map_num_entries := u0;
+ hashmap_hash_map_max_load_factor := p;
+ hashmap_hash_map_max_load := u; hashmap_hash_map_slots := v|>
+
+ [hashmap_hash_map_t_nchotomy] Theorem
+
+ ⊢ ∀hh. ∃u p u0 v. hh = hashmap_hash_map_t u p u0 v
+
+ [hashmap_hash_map_t_updates_eq_literal] Theorem
+
+ ⊢ ∀h u0 p u v.
+ h with
+ <|hashmap_hash_map_num_entries := u0;
+ hashmap_hash_map_max_load_factor := p;
+ hashmap_hash_map_max_load := u; hashmap_hash_map_slots := v|> =
+ <|hashmap_hash_map_num_entries := u0;
+ hashmap_hash_map_max_load_factor := p;
+ hashmap_hash_map_max_load := u; hashmap_hash_map_slots := v|>
+
+ [hashmap_list_t_11] Theorem
+
+ ⊢ ∀a0 a1 a2 a0' a1' a2'.
+ HashmapListCons a0 a1 a2 = HashmapListCons a0' a1' a2' ⇔
+ a0 = a0' ∧ a1 = a1' ∧ a2 = a2'
+
+ [hashmap_list_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1. ∃fn.
+ (∀a0 a1 a2. fn (HashmapListCons a0 a1 a2) = f0 a0 a1 a2 (fn a2)) ∧
+ fn HashmapListNil = f1
+
+ [hashmap_list_t_case_cong] Theorem
+
+ ⊢ ∀M M' f v.
+ M = M' ∧
+ (∀a0 a1 a2.
+ M' = HashmapListCons a0 a1 a2 ⇒ f a0 a1 a2 = f' a0 a1 a2) ∧
+ (M' = HashmapListNil ⇒ v = v') ⇒
+ hashmap_list_t_CASE M f v = hashmap_list_t_CASE M' f' v'
+
+ [hashmap_list_t_case_eq] Theorem
+
+ ⊢ hashmap_list_t_CASE x f v = v' ⇔
+ (∃u t h. x = HashmapListCons u t h ∧ f u t h = v') ∨
+ x = HashmapListNil ∧ v = v'
+
+ [hashmap_list_t_distinct] Theorem
+
+ ⊢ ∀a2 a1 a0. HashmapListCons a0 a1 a2 ≠ HashmapListNil
+
+ [hashmap_list_t_induction] Theorem
+
+ ⊢ ∀P. (∀h. P h ⇒ ∀t u. P (HashmapListCons u t h)) ∧ P HashmapListNil ⇒
+ ∀h. P h
+
+ [hashmap_list_t_nchotomy] Theorem
+
+ ⊢ ∀hh. (∃u t h. hh = HashmapListCons u t h) ∨ hh = HashmapListNil
+
+
+*)
+end
diff --git a/tests/hol4/misc-constants/Holmakefile b/tests/hol4/misc-constants/Holmakefile
new file mode 100644
index 00000000..3c4b8973
--- /dev/null
+++ b/tests/hol4/misc-constants/Holmakefile
@@ -0,0 +1,5 @@
+# This file was automatically generated - modify ../Holmakefile.template instead
+INCLUDES = ../../../backends/hol4
+
+all: $(DEFAULT_TARGETS)
+.PHONY: all
diff --git a/tests/hol4/misc-constants/constantsScript.sml b/tests/hol4/misc-constants/constantsScript.sml
new file mode 100644
index 00000000..324d553d
--- /dev/null
+++ b/tests/hol4/misc-constants/constantsScript.sml
@@ -0,0 +1,225 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [constants] *)
+open primitivesLib divDefLib
+
+val _ = new_theory "constants"
+
+
+(** [constants::X0] *)
+Definition x0_body_def:
+ x0_body : u32 result = Return (int_to_u32 0)
+End
+Definition x0_c_def:
+ x0_c : u32 = get_return_value x0_body
+End
+
+(** [core::num::u32::{9}::MAX] *)
+Definition core_num_u32_max_body_def:
+ core_num_u32_max_body : u32 result = Return (int_to_u32 4294967295)
+End
+Definition core_num_u32_max_c_def:
+ core_num_u32_max_c : u32 = get_return_value core_num_u32_max_body
+End
+
+(** [constants::X1] *)
+Definition x1_body_def:
+ x1_body : u32 result = Return core_num_u32_max_c
+End
+Definition x1_c_def:
+ x1_c : u32 = get_return_value x1_body
+End
+
+(** [constants::X2] *)
+Definition x2_body_def:
+ x2_body : u32 result = Return (int_to_u32 3)
+End
+Definition x2_c_def:
+ x2_c : u32 = get_return_value x2_body
+End
+
+val incr_fwd_def = Define ‘
+ (** [constants::incr] *)
+ incr_fwd (n : u32) : u32 result =
+ u32_add n (int_to_u32 1)
+’
+
+(** [constants::X3] *)
+Definition x3_body_def:
+ x3_body : u32 result = incr_fwd (int_to_u32 32)
+End
+Definition x3_c_def:
+ x3_c : u32 = get_return_value x3_body
+End
+
+val mk_pair0_fwd_def = Define ‘
+ (** [constants::mk_pair0] *)
+ mk_pair0_fwd (x : u32) (y : u32) : (u32 # u32) result =
+ Return (x, y)
+’
+
+Datatype:
+ (** [constants::Pair] *)
+ pair_t = <| pair_x : 't1; pair_y : 't2; |>
+End
+
+val mk_pair1_fwd_def = Define ‘
+ (** [constants::mk_pair1] *)
+ mk_pair1_fwd (x : u32) (y : u32) : (u32, u32) pair_t result =
+ Return (<| pair_x := x; pair_y := y |>)
+’
+
+(** [constants::P0] *)
+Definition p0_body_def:
+ p0_body : (u32 # u32) result = mk_pair0_fwd (int_to_u32 0) (int_to_u32 1)
+End
+Definition p0_c_def:
+ p0_c : (u32 # u32) = get_return_value p0_body
+End
+
+(** [constants::P1] *)
+Definition p1_body_def:
+ p1_body : (u32, u32) pair_t result =
+ mk_pair1_fwd (int_to_u32 0) (int_to_u32 1)
+End
+Definition p1_c_def:
+ p1_c : (u32, u32) pair_t = get_return_value p1_body
+End
+
+(** [constants::P2] *)
+Definition p2_body_def:
+ p2_body : (u32 # u32) result = Return (int_to_u32 0, int_to_u32 1)
+End
+Definition p2_c_def:
+ p2_c : (u32 # u32) = get_return_value p2_body
+End
+
+(** [constants::P3] *)
+Definition p3_body_def:
+ p3_body : (u32, u32) pair_t result =
+ Return (<| pair_x := (int_to_u32 0); pair_y := (int_to_u32 1) |>)
+End
+Definition p3_c_def:
+ p3_c : (u32, u32) pair_t = get_return_value p3_body
+End
+
+Datatype:
+ (** [constants::Wrap] *)
+ wrap_t = <| wrap_val : 't; |>
+End
+
+val wrap_new_fwd_def = Define ‘
+ (** [constants::Wrap::{0}::new] *)
+ wrap_new_fwd (val : 't) : 't wrap_t result =
+ Return (<| wrap_val := val |>)
+’
+
+(** [constants::Y] *)
+Definition y_body_def:
+ y_body : i32 wrap_t result = wrap_new_fwd (int_to_i32 2)
+End
+Definition y_c_def:
+ y_c : i32 wrap_t = get_return_value y_body
+End
+
+val unwrap_y_fwd_def = Define ‘
+ (** [constants::unwrap_y] *)
+ unwrap_y_fwd : i32 result =
+ Return y_c.wrap_val
+’
+
+(** [constants::YVAL] *)
+Definition yval_body_def:
+ yval_body : i32 result = unwrap_y_fwd
+End
+Definition yval_c_def:
+ yval_c : i32 = get_return_value yval_body
+End
+
+(** [constants::get_z1::Z1] *)
+Definition get_z1_z1_body_def:
+ get_z1_z1_body : i32 result = Return (int_to_i32 3)
+End
+Definition get_z1_z1_c_def:
+ get_z1_z1_c : i32 = get_return_value get_z1_z1_body
+End
+
+val get_z1_fwd_def = Define ‘
+ (** [constants::get_z1] *)
+ get_z1_fwd : i32 result =
+ Return get_z1_z1_c
+’
+
+val add_fwd_def = Define ‘
+ (** [constants::add] *)
+ add_fwd (a : i32) (b : i32) : i32 result =
+ i32_add a b
+’
+
+(** [constants::Q1] *)
+Definition q1_body_def:
+ q1_body : i32 result = Return (int_to_i32 5)
+End
+Definition q1_c_def:
+ q1_c : i32 = get_return_value q1_body
+End
+
+(** [constants::Q2] *)
+Definition q2_body_def:
+ q2_body : i32 result = Return q1_c
+End
+Definition q2_c_def:
+ q2_c : i32 = get_return_value q2_body
+End
+
+(** [constants::Q3] *)
+Definition q3_body_def:
+ q3_body : i32 result = add_fwd q2_c (int_to_i32 3)
+End
+Definition q3_c_def:
+ q3_c : i32 = get_return_value q3_body
+End
+
+val get_z2_fwd_def = Define ‘
+ (** [constants::get_z2] *)
+ get_z2_fwd : i32 result =
+ do
+ i <- get_z1_fwd;
+ i0 <- add_fwd i q3_c;
+ add_fwd q1_c i0
+ od
+’
+
+(** [constants::S1] *)
+Definition s1_body_def:
+ s1_body : u32 result = Return (int_to_u32 6)
+End
+Definition s1_c_def:
+ s1_c : u32 = get_return_value s1_body
+End
+
+(** [constants::S2] *)
+Definition s2_body_def:
+ s2_body : u32 result = incr_fwd s1_c
+End
+Definition s2_c_def:
+ s2_c : u32 = get_return_value s2_body
+End
+
+(** [constants::S3] *)
+Definition s3_body_def:
+ s3_body : (u32, u32) pair_t result = Return p3_c
+End
+Definition s3_c_def:
+ s3_c : (u32, u32) pair_t = get_return_value s3_body
+End
+
+(** [constants::S4] *)
+Definition s4_body_def:
+ s4_body : (u32, u32) pair_t result =
+ mk_pair1_fwd (int_to_u32 7) (int_to_u32 8)
+End
+Definition s4_c_def:
+ s4_c : (u32, u32) pair_t = get_return_value s4_body
+End
+
+val _ = export_theory ()
diff --git a/tests/hol4/misc-constants/constantsTheory.sig b/tests/hol4/misc-constants/constantsTheory.sig
new file mode 100644
index 00000000..6148221f
--- /dev/null
+++ b/tests/hol4/misc-constants/constantsTheory.sig
@@ -0,0 +1,548 @@
+signature constantsTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val add_fwd_def : thm
+ val core_num_u32_max_body_def : thm
+ val core_num_u32_max_c_def : thm
+ val get_z1_fwd_def : thm
+ val get_z1_z1_body_def : thm
+ val get_z1_z1_c_def : thm
+ val get_z2_fwd_def : thm
+ val incr_fwd_def : thm
+ val mk_pair0_fwd_def : thm
+ val mk_pair1_fwd_def : thm
+ val p0_body_def : thm
+ val p0_c_def : thm
+ val p1_body_def : thm
+ val p1_c_def : thm
+ val p2_body_def : thm
+ val p2_c_def : thm
+ val p3_body_def : thm
+ val p3_c_def : thm
+ val pair_t_TY_DEF : thm
+ val pair_t_case_def : thm
+ val pair_t_size_def : thm
+ val q1_body_def : thm
+ val q1_c_def : thm
+ val q2_body_def : thm
+ val q2_c_def : thm
+ val q3_body_def : thm
+ val q3_c_def : thm
+ val recordtype_pair_t_seldef_pair_x_def : thm
+ val recordtype_pair_t_seldef_pair_x_fupd_def : thm
+ val recordtype_pair_t_seldef_pair_y_def : thm
+ val recordtype_pair_t_seldef_pair_y_fupd_def : thm
+ val recordtype_wrap_t_seldef_wrap_val_def : thm
+ val recordtype_wrap_t_seldef_wrap_val_fupd_def : thm
+ val s1_body_def : thm
+ val s1_c_def : thm
+ val s2_body_def : thm
+ val s2_c_def : thm
+ val s3_body_def : thm
+ val s3_c_def : thm
+ val s4_body_def : thm
+ val s4_c_def : thm
+ val unwrap_y_fwd_def : thm
+ val wrap_new_fwd_def : thm
+ val wrap_t_TY_DEF : thm
+ val wrap_t_case_def : thm
+ val wrap_t_size_def : thm
+ val x0_body_def : thm
+ val x0_c_def : thm
+ val x1_body_def : thm
+ val x1_c_def : thm
+ val x2_body_def : thm
+ val x2_c_def : thm
+ val x3_body_def : thm
+ val x3_c_def : thm
+ val y_body_def : thm
+ val y_c_def : thm
+ val yval_body_def : thm
+ val yval_c_def : thm
+
+ (* Theorems *)
+ val EXISTS_pair_t : thm
+ val EXISTS_wrap_t : thm
+ val FORALL_pair_t : thm
+ val FORALL_wrap_t : thm
+ val datatype_pair_t : thm
+ val datatype_wrap_t : thm
+ val pair_t_11 : thm
+ val pair_t_Axiom : thm
+ val pair_t_accessors : thm
+ val pair_t_accfupds : thm
+ val pair_t_case_cong : thm
+ val pair_t_case_eq : thm
+ val pair_t_component_equality : thm
+ val pair_t_fn_updates : thm
+ val pair_t_fupdcanon : thm
+ val pair_t_fupdcanon_comp : thm
+ val pair_t_fupdfupds : thm
+ val pair_t_fupdfupds_comp : thm
+ val pair_t_induction : thm
+ val pair_t_literal_11 : thm
+ val pair_t_literal_nchotomy : thm
+ val pair_t_nchotomy : thm
+ val pair_t_updates_eq_literal : thm
+ val wrap_t_11 : thm
+ val wrap_t_Axiom : thm
+ val wrap_t_accessors : thm
+ val wrap_t_accfupds : thm
+ val wrap_t_case_cong : thm
+ val wrap_t_case_eq : thm
+ val wrap_t_component_equality : thm
+ val wrap_t_fn_updates : thm
+ val wrap_t_fupdfupds : thm
+ val wrap_t_fupdfupds_comp : thm
+ val wrap_t_induction : thm
+ val wrap_t_literal_11 : thm
+ val wrap_t_literal_nchotomy : thm
+ val wrap_t_nchotomy : thm
+ val wrap_t_updates_eq_literal : thm
+
+ val constants_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [divDef] Parent theory of "constants"
+
+ [add_fwd_def] Definition
+
+ ⊢ ∀a b. add_fwd a b = i32_add a b
+
+ [core_num_u32_max_body_def] Definition
+
+ ⊢ core_num_u32_max_body = Return (int_to_u32 4294967295)
+
+ [core_num_u32_max_c_def] Definition
+
+ ⊢ core_num_u32_max_c = get_return_value core_num_u32_max_body
+
+ [get_z1_fwd_def] Definition
+
+ ⊢ get_z1_fwd = Return get_z1_z1_c
+
+ [get_z1_z1_body_def] Definition
+
+ ⊢ get_z1_z1_body = Return (int_to_i32 3)
+
+ [get_z1_z1_c_def] Definition
+
+ ⊢ get_z1_z1_c = get_return_value get_z1_z1_body
+
+ [get_z2_fwd_def] Definition
+
+ ⊢ get_z2_fwd =
+ do i <- get_z1_fwd; i0 <- add_fwd i q3_c; add_fwd q1_c i0 od
+
+ [incr_fwd_def] Definition
+
+ ⊢ ∀n. incr_fwd n = u32_add n (int_to_u32 1)
+
+ [mk_pair0_fwd_def] Definition
+
+ ⊢ ∀x y. mk_pair0_fwd x y = Return (x,y)
+
+ [mk_pair1_fwd_def] Definition
+
+ ⊢ ∀x y. mk_pair1_fwd x y = Return <|pair_x := x; pair_y := y|>
+
+ [p0_body_def] Definition
+
+ ⊢ p0_body = mk_pair0_fwd (int_to_u32 0) (int_to_u32 1)
+
+ [p0_c_def] Definition
+
+ ⊢ p0_c = get_return_value p0_body
+
+ [p1_body_def] Definition
+
+ ⊢ p1_body = mk_pair1_fwd (int_to_u32 0) (int_to_u32 1)
+
+ [p1_c_def] Definition
+
+ ⊢ p1_c = get_return_value p1_body
+
+ [p2_body_def] Definition
+
+ ⊢ p2_body = Return (int_to_u32 0,int_to_u32 1)
+
+ [p2_c_def] Definition
+
+ ⊢ p2_c = get_return_value p2_body
+
+ [p3_body_def] Definition
+
+ ⊢ p3_body = Return <|pair_x := int_to_u32 0; pair_y := int_to_u32 1|>
+
+ [p3_c_def] Definition
+
+ ⊢ p3_c = get_return_value p3_body
+
+ [pair_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('pair_t').
+ (∀a0'.
+ (∃a0 a1.
+ a0' =
+ (λa0 a1.
+ ind_type$CONSTR 0 (a0,a1)
+ (λn. ind_type$BOTTOM)) a0 a1) ⇒
+ $var$('pair_t') a0') ⇒
+ $var$('pair_t') a0') rep
+
+ [pair_t_case_def] Definition
+
+ ⊢ ∀a0 a1 f. pair_t_CASE (pair_t a0 a1) f = f a0 a1
+
+ [pair_t_size_def] Definition
+
+ ⊢ ∀f f1 a0 a1. pair_t_size f f1 (pair_t a0 a1) = 1 + (f a0 + f1 a1)
+
+ [q1_body_def] Definition
+
+ ⊢ q1_body = Return (int_to_i32 5)
+
+ [q1_c_def] Definition
+
+ ⊢ q1_c = get_return_value q1_body
+
+ [q2_body_def] Definition
+
+ ⊢ q2_body = Return q1_c
+
+ [q2_c_def] Definition
+
+ ⊢ q2_c = get_return_value q2_body
+
+ [q3_body_def] Definition
+
+ ⊢ q3_body = add_fwd q2_c (int_to_i32 3)
+
+ [q3_c_def] Definition
+
+ ⊢ q3_c = get_return_value q3_body
+
+ [recordtype_pair_t_seldef_pair_x_def] Definition
+
+ ⊢ ∀t t0. (pair_t t t0).pair_x = t
+
+ [recordtype_pair_t_seldef_pair_x_fupd_def] Definition
+
+ ⊢ ∀f t t0. pair_t t t0 with pair_x updated_by f = pair_t (f t) t0
+
+ [recordtype_pair_t_seldef_pair_y_def] Definition
+
+ ⊢ ∀t t0. (pair_t t t0).pair_y = t0
+
+ [recordtype_pair_t_seldef_pair_y_fupd_def] Definition
+
+ ⊢ ∀f t t0. pair_t t t0 with pair_y updated_by f = pair_t t (f t0)
+
+ [recordtype_wrap_t_seldef_wrap_val_def] Definition
+
+ ⊢ ∀t. (wrap_t t).wrap_val = t
+
+ [recordtype_wrap_t_seldef_wrap_val_fupd_def] Definition
+
+ ⊢ ∀f t. wrap_t t with wrap_val updated_by f = wrap_t (f t)
+
+ [s1_body_def] Definition
+
+ ⊢ s1_body = Return (int_to_u32 6)
+
+ [s1_c_def] Definition
+
+ ⊢ s1_c = get_return_value s1_body
+
+ [s2_body_def] Definition
+
+ ⊢ s2_body = incr_fwd s1_c
+
+ [s2_c_def] Definition
+
+ ⊢ s2_c = get_return_value s2_body
+
+ [s3_body_def] Definition
+
+ ⊢ s3_body = Return p3_c
+
+ [s3_c_def] Definition
+
+ ⊢ s3_c = get_return_value s3_body
+
+ [s4_body_def] Definition
+
+ ⊢ s4_body = mk_pair1_fwd (int_to_u32 7) (int_to_u32 8)
+
+ [s4_c_def] Definition
+
+ ⊢ s4_c = get_return_value s4_body
+
+ [unwrap_y_fwd_def] Definition
+
+ ⊢ unwrap_y_fwd = Return y_c.wrap_val
+
+ [wrap_new_fwd_def] Definition
+
+ ⊢ ∀val. wrap_new_fwd val = Return <|wrap_val := val|>
+
+ [wrap_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0.
+ ∀ $var$('wrap_t').
+ (∀a0.
+ (∃a. a0 =
+ (λa. ind_type$CONSTR 0 a (λn. ind_type$BOTTOM))
+ a) ⇒
+ $var$('wrap_t') a0) ⇒
+ $var$('wrap_t') a0) rep
+
+ [wrap_t_case_def] Definition
+
+ ⊢ ∀a f. wrap_t_CASE (wrap_t a) f = f a
+
+ [wrap_t_size_def] Definition
+
+ ⊢ ∀f a. wrap_t_size f (wrap_t a) = 1 + f a
+
+ [x0_body_def] Definition
+
+ ⊢ x0_body = Return (int_to_u32 0)
+
+ [x0_c_def] Definition
+
+ ⊢ x0_c = get_return_value x0_body
+
+ [x1_body_def] Definition
+
+ ⊢ x1_body = Return core_num_u32_max_c
+
+ [x1_c_def] Definition
+
+ ⊢ x1_c = get_return_value x1_body
+
+ [x2_body_def] Definition
+
+ ⊢ x2_body = Return (int_to_u32 3)
+
+ [x2_c_def] Definition
+
+ ⊢ x2_c = get_return_value x2_body
+
+ [x3_body_def] Definition
+
+ ⊢ x3_body = incr_fwd (int_to_u32 32)
+
+ [x3_c_def] Definition
+
+ ⊢ x3_c = get_return_value x3_body
+
+ [y_body_def] Definition
+
+ ⊢ y_body = wrap_new_fwd (int_to_i32 2)
+
+ [y_c_def] Definition
+
+ ⊢ y_c = get_return_value y_body
+
+ [yval_body_def] Definition
+
+ ⊢ yval_body = unwrap_y_fwd
+
+ [yval_c_def] Definition
+
+ ⊢ yval_c = get_return_value yval_body
+
+ [EXISTS_pair_t] Theorem
+
+ ⊢ ∀P. (∃p. P p) ⇔ ∃t0 t. P <|pair_x := t0; pair_y := t|>
+
+ [EXISTS_wrap_t] Theorem
+
+ ⊢ ∀P. (∃w. P w) ⇔ ∃u. P <|wrap_val := u|>
+
+ [FORALL_pair_t] Theorem
+
+ ⊢ ∀P. (∀p. P p) ⇔ ∀t0 t. P <|pair_x := t0; pair_y := t|>
+
+ [FORALL_wrap_t] Theorem
+
+ ⊢ ∀P. (∀w. P w) ⇔ ∀u. P <|wrap_val := u|>
+
+ [datatype_pair_t] Theorem
+
+ ⊢ DATATYPE (record pair_t pair_x pair_y)
+
+ [datatype_wrap_t] Theorem
+
+ ⊢ DATATYPE (record wrap_t wrap_val)
+
+ [pair_t_11] Theorem
+
+ ⊢ ∀a0 a1 a0' a1'. pair_t a0 a1 = pair_t a0' a1' ⇔ a0 = a0' ∧ a1 = a1'
+
+ [pair_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a0 a1. fn (pair_t a0 a1) = f a0 a1
+
+ [pair_t_accessors] Theorem
+
+ ⊢ (∀t t0. (pair_t t t0).pair_x = t) ∧
+ ∀t t0. (pair_t t t0).pair_y = t0
+
+ [pair_t_accfupds] Theorem
+
+ ⊢ (∀p f. (p with pair_y updated_by f).pair_x = p.pair_x) ∧
+ (∀p f. (p with pair_x updated_by f).pair_y = p.pair_y) ∧
+ (∀p f. (p with pair_x updated_by f).pair_x = f p.pair_x) ∧
+ ∀p f. (p with pair_y updated_by f).pair_y = f p.pair_y
+
+ [pair_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧ (∀a0 a1. M' = pair_t a0 a1 ⇒ f a0 a1 = f' a0 a1) ⇒
+ pair_t_CASE M f = pair_t_CASE M' f'
+
+ [pair_t_case_eq] Theorem
+
+ ⊢ pair_t_CASE x f = v ⇔ ∃t t0. x = pair_t t t0 ∧ f t t0 = v
+
+ [pair_t_component_equality] Theorem
+
+ ⊢ ∀p1 p2. p1 = p2 ⇔ p1.pair_x = p2.pair_x ∧ p1.pair_y = p2.pair_y
+
+ [pair_t_fn_updates] Theorem
+
+ ⊢ (∀f t t0. pair_t t t0 with pair_x updated_by f = pair_t (f t) t0) ∧
+ ∀f t t0. pair_t t t0 with pair_y updated_by f = pair_t t (f t0)
+
+ [pair_t_fupdcanon] Theorem
+
+ ⊢ ∀p g f.
+ p with <|pair_y updated_by f; pair_x updated_by g|> =
+ p with <|pair_x updated_by g; pair_y updated_by f|>
+
+ [pair_t_fupdcanon_comp] Theorem
+
+ ⊢ (∀g f.
+ pair_y_fupd f ∘ pair_x_fupd g = pair_x_fupd g ∘ pair_y_fupd f) ∧
+ ∀h g f.
+ pair_y_fupd f ∘ pair_x_fupd g ∘ h =
+ pair_x_fupd g ∘ pair_y_fupd f ∘ h
+
+ [pair_t_fupdfupds] Theorem
+
+ ⊢ (∀p g f.
+ p with <|pair_x updated_by f; pair_x updated_by g|> =
+ p with pair_x updated_by f ∘ g) ∧
+ ∀p g f.
+ p with <|pair_y updated_by f; pair_y updated_by g|> =
+ p with pair_y updated_by f ∘ g
+
+ [pair_t_fupdfupds_comp] Theorem
+
+ ⊢ ((∀g f. pair_x_fupd f ∘ pair_x_fupd g = pair_x_fupd (f ∘ g)) ∧
+ ∀h g f.
+ pair_x_fupd f ∘ pair_x_fupd g ∘ h = pair_x_fupd (f ∘ g) ∘ h) ∧
+ (∀g f. pair_y_fupd f ∘ pair_y_fupd g = pair_y_fupd (f ∘ g)) ∧
+ ∀h g f. pair_y_fupd f ∘ pair_y_fupd g ∘ h = pair_y_fupd (f ∘ g) ∘ h
+
+ [pair_t_induction] Theorem
+
+ ⊢ ∀P. (∀t t0. P (pair_t t t0)) ⇒ ∀p. P p
+
+ [pair_t_literal_11] Theorem
+
+ ⊢ ∀t01 t1 t02 t2.
+ <|pair_x := t01; pair_y := t1|> = <|pair_x := t02; pair_y := t2|> ⇔
+ t01 = t02 ∧ t1 = t2
+
+ [pair_t_literal_nchotomy] Theorem
+
+ ⊢ ∀p. ∃t0 t. p = <|pair_x := t0; pair_y := t|>
+
+ [pair_t_nchotomy] Theorem
+
+ ⊢ ∀pp. ∃t t0. pp = pair_t t t0
+
+ [pair_t_updates_eq_literal] Theorem
+
+ ⊢ ∀p t0 t.
+ p with <|pair_x := t0; pair_y := t|> =
+ <|pair_x := t0; pair_y := t|>
+
+ [wrap_t_11] Theorem
+
+ ⊢ ∀a a'. wrap_t a = wrap_t a' ⇔ a = a'
+
+ [wrap_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a. fn (wrap_t a) = f a
+
+ [wrap_t_accessors] Theorem
+
+ ⊢ ∀t. (wrap_t t).wrap_val = t
+
+ [wrap_t_accfupds] Theorem
+
+ ⊢ ∀w f. (w with wrap_val updated_by f).wrap_val = f w.wrap_val
+
+ [wrap_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧ (∀a. M' = wrap_t a ⇒ f a = f' a) ⇒
+ wrap_t_CASE M f = wrap_t_CASE M' f'
+
+ [wrap_t_case_eq] Theorem
+
+ ⊢ wrap_t_CASE x f = v ⇔ ∃t. x = wrap_t t ∧ f t = v
+
+ [wrap_t_component_equality] Theorem
+
+ ⊢ ∀w1 w2. w1 = w2 ⇔ w1.wrap_val = w2.wrap_val
+
+ [wrap_t_fn_updates] Theorem
+
+ ⊢ ∀f t. wrap_t t with wrap_val updated_by f = wrap_t (f t)
+
+ [wrap_t_fupdfupds] Theorem
+
+ ⊢ ∀w g f.
+ w with <|wrap_val updated_by f; wrap_val updated_by g|> =
+ w with wrap_val updated_by f ∘ g
+
+ [wrap_t_fupdfupds_comp] Theorem
+
+ ⊢ (∀g f. wrap_val_fupd f ∘ wrap_val_fupd g = wrap_val_fupd (f ∘ g)) ∧
+ ∀h g f.
+ wrap_val_fupd f ∘ wrap_val_fupd g ∘ h = wrap_val_fupd (f ∘ g) ∘ h
+
+ [wrap_t_induction] Theorem
+
+ ⊢ ∀P. (∀t. P (wrap_t t)) ⇒ ∀w. P w
+
+ [wrap_t_literal_11] Theorem
+
+ ⊢ ∀u1 u2. <|wrap_val := u1|> = <|wrap_val := u2|> ⇔ u1 = u2
+
+ [wrap_t_literal_nchotomy] Theorem
+
+ ⊢ ∀w. ∃u. w = <|wrap_val := u|>
+
+ [wrap_t_nchotomy] Theorem
+
+ ⊢ ∀ww. ∃t. ww = wrap_t t
+
+ [wrap_t_updates_eq_literal] Theorem
+
+ ⊢ ∀w u. w with wrap_val := u = <|wrap_val := u|>
+
+
+*)
+end
diff --git a/tests/hol4/misc-external/Holmakefile b/tests/hol4/misc-external/Holmakefile
new file mode 100644
index 00000000..3c4b8973
--- /dev/null
+++ b/tests/hol4/misc-external/Holmakefile
@@ -0,0 +1,5 @@
+# This file was automatically generated - modify ../Holmakefile.template instead
+INCLUDES = ../../../backends/hol4
+
+all: $(DEFAULT_TARGETS)
+.PHONY: all
diff --git a/tests/hol4/misc-external/external_FunsScript.sml b/tests/hol4/misc-external/external_FunsScript.sml
new file mode 100644
index 00000000..8172bc1c
--- /dev/null
+++ b/tests/hol4/misc-external/external_FunsScript.sml
@@ -0,0 +1,108 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [external]: function definitions *)
+open primitivesLib divDefLib
+open external_TypesTheory external_OpaqueTheory
+
+val _ = new_theory "external_Funs"
+
+
+val swap_fwd_def = Define ‘
+ (** [external::swap] *)
+ swap_fwd (x : 't) (y : 't) (st : state) : (state # unit) result =
+ do
+ (st0, _) <- core_mem_swap_fwd x y st;
+ (st1, _) <- core_mem_swap_back0 x y st st0;
+ (st2, _) <- core_mem_swap_back1 x y st st1;
+ Return (st2, ())
+ od
+’
+
+val swap_back_def = Define ‘
+ (** [external::swap] *)
+ swap_back
+ (x : 't) (y : 't) (st : state) (st0 : state) : (state # ('t # 't)) result =
+ do
+ (st1, _) <- core_mem_swap_fwd x y st;
+ (st2, x0) <- core_mem_swap_back0 x y st st1;
+ (_, y0) <- core_mem_swap_back1 x y st st2;
+ Return (st0, (x0, y0))
+ od
+’
+
+val test_new_non_zero_u32_fwd_def = Define ‘
+ (** [external::test_new_non_zero_u32] *)
+ test_new_non_zero_u32_fwd
+ (x : u32) (st : state) : (state # core_num_nonzero_non_zero_u32_t) result =
+ do
+ (st0, opt) <- core_num_nonzero_non_zero_u32_new_fwd x st;
+ core_option_option_unwrap_fwd opt st0
+ od
+’
+
+val test_vec_fwd_def = Define ‘
+ (** [external::test_vec] *)
+ test_vec_fwd : unit result =
+ let v = vec_new in do
+ _ <- vec_push_back v (int_to_u32 0);
+ Return ()
+ od
+’
+
+(** Unit test for [external::test_vec] *)
+val _ = assert_return (“test_vec_fwd”)
+
+val custom_swap_fwd_def = Define ‘
+ (** [external::custom_swap] *)
+ custom_swap_fwd (x : 't) (y : 't) (st : state) : (state # 't) result =
+ do
+ (st0, _) <- core_mem_swap_fwd x y st;
+ (st1, x0) <- core_mem_swap_back0 x y st st0;
+ (st2, _) <- core_mem_swap_back1 x y st st1;
+ Return (st2, x0)
+ od
+’
+
+val custom_swap_back_def = Define ‘
+ (** [external::custom_swap] *)
+ custom_swap_back
+ (x : 't) (y : 't) (st : state) (ret : 't) (st0 : state) :
+ (state # ('t # 't)) result
+ =
+ do
+ (st1, _) <- core_mem_swap_fwd x y st;
+ (st2, _) <- core_mem_swap_back0 x y st st1;
+ (_, y0) <- core_mem_swap_back1 x y st st2;
+ Return (st0, (ret, y0))
+ od
+’
+
+val test_custom_swap_fwd_def = Define ‘
+ (** [external::test_custom_swap] *)
+ test_custom_swap_fwd
+ (x : u32) (y : u32) (st : state) : (state # unit) result =
+ do
+ (st0, _) <- custom_swap_fwd x y st;
+ Return (st0, ())
+ od
+’
+
+val test_custom_swap_back_def = Define ‘
+ (** [external::test_custom_swap] *)
+ test_custom_swap_back
+ (x : u32) (y : u32) (st : state) (st0 : state) :
+ (state # (u32 # u32)) result
+ =
+ custom_swap_back x y st (int_to_u32 1) st0
+’
+
+val test_swap_non_zero_fwd_def = Define ‘
+ (** [external::test_swap_non_zero] *)
+ test_swap_non_zero_fwd (x : u32) (st : state) : (state # u32) result =
+ do
+ (st0, _) <- swap_fwd x (int_to_u32 0) st;
+ (st1, (x0, _)) <- swap_back x (int_to_u32 0) st st0;
+ if x0 = int_to_u32 0 then Fail Failure else Return (st1, x0)
+ od
+’
+
+val _ = export_theory ()
diff --git a/tests/hol4/misc-external/external_FunsTheory.sig b/tests/hol4/misc-external/external_FunsTheory.sig
new file mode 100644
index 00000000..490f9d06
--- /dev/null
+++ b/tests/hol4/misc-external/external_FunsTheory.sig
@@ -0,0 +1,105 @@
+signature external_FunsTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val custom_swap_back_def : thm
+ val custom_swap_fwd_def : thm
+ val swap_back_def : thm
+ val swap_fwd_def : thm
+ val test_custom_swap_back_def : thm
+ val test_custom_swap_fwd_def : thm
+ val test_new_non_zero_u32_fwd_def : thm
+ val test_swap_non_zero_fwd_def : thm
+ val test_vec_fwd_def : thm
+
+ val external_Funs_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [external_Opaque] Parent theory of "external_Funs"
+
+ [custom_swap_back_def] Definition
+
+ ⊢ ∀x y st ret st0.
+ custom_swap_back x y st ret st0 =
+ do
+ (st1,_) <- core_mem_swap_fwd x y st;
+ (st2,_) <- core_mem_swap_back0 x y st st1;
+ (_,y0) <- core_mem_swap_back1 x y st st2;
+ Return (st0,ret,y0)
+ od
+
+ [custom_swap_fwd_def] Definition
+
+ ⊢ ∀x y st.
+ custom_swap_fwd x y st =
+ do
+ (st0,_) <- core_mem_swap_fwd x y st;
+ (st1,x0) <- core_mem_swap_back0 x y st st0;
+ (st2,_) <- core_mem_swap_back1 x y st st1;
+ Return (st2,x0)
+ od
+
+ [swap_back_def] Definition
+
+ ⊢ ∀x y st st0.
+ swap_back x y st st0 =
+ do
+ (st1,_) <- core_mem_swap_fwd x y st;
+ (st2,x0) <- core_mem_swap_back0 x y st st1;
+ (_,y0) <- core_mem_swap_back1 x y st st2;
+ Return (st0,x0,y0)
+ od
+
+ [swap_fwd_def] Definition
+
+ ⊢ ∀x y st.
+ swap_fwd x y st =
+ do
+ (st0,_) <- core_mem_swap_fwd x y st;
+ (st1,_) <- core_mem_swap_back0 x y st st0;
+ (st2,_) <- core_mem_swap_back1 x y st st1;
+ Return (st2,())
+ od
+
+ [test_custom_swap_back_def] Definition
+
+ ⊢ ∀x y st st0.
+ test_custom_swap_back x y st st0 =
+ custom_swap_back x y st (int_to_u32 1) st0
+
+ [test_custom_swap_fwd_def] Definition
+
+ ⊢ ∀x y st.
+ test_custom_swap_fwd x y st =
+ do (st0,_) <- custom_swap_fwd x y st; Return (st0,()) od
+
+ [test_new_non_zero_u32_fwd_def] Definition
+
+ ⊢ ∀x st.
+ test_new_non_zero_u32_fwd x st =
+ do
+ (st0,opt) <- core_num_nonzero_non_zero_u32_new_fwd x st;
+ core_option_option_unwrap_fwd opt st0
+ od
+
+ [test_swap_non_zero_fwd_def] Definition
+
+ ⊢ ∀x st.
+ test_swap_non_zero_fwd x st =
+ do
+ (st0,_) <- swap_fwd x (int_to_u32 0) st;
+ (st1,x0,_) <- swap_back x (int_to_u32 0) st st0;
+ if x0 = int_to_u32 0 then Fail Failure else Return (st1,x0)
+ od
+
+ [test_vec_fwd_def] Definition
+
+ ⊢ test_vec_fwd =
+ (let
+ v = vec_new
+ in
+ monad_ignore_bind (vec_push_back v (int_to_u32 0)) (Return ()))
+
+
+*)
+end
diff --git a/tests/hol4/misc-external/external_OpaqueScript.sml b/tests/hol4/misc-external/external_OpaqueScript.sml
new file mode 100644
index 00000000..e2fd281d
--- /dev/null
+++ b/tests/hol4/misc-external/external_OpaqueScript.sml
@@ -0,0 +1,25 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [external]: opaque function definitions *)
+open primitivesLib divDefLib
+open external_TypesTheory
+
+val _ = new_theory "external_Opaque"
+
+
+val _ = new_constant ("core_mem_swap_fwd",
+ “:'t -> 't -> state -> (state # unit) result”)
+
+val _ = new_constant ("core_mem_swap_back0",
+ “:'t -> 't -> state -> state -> (state # 't) result”)
+
+val _ = new_constant ("core_mem_swap_back1",
+ “:'t -> 't -> state -> state -> (state # 't) result”)
+
+val _ = new_constant ("core_num_nonzero_non_zero_u32_new_fwd",
+ “:u32 -> state -> (state # core_num_nonzero_non_zero_u32_t option)
+ result”)
+
+val _ = new_constant ("core_option_option_unwrap_fwd",
+ “:'t option -> state -> (state # 't) result”)
+
+val _ = export_theory ()
diff --git a/tests/hol4/misc-external/external_OpaqueTheory.sig b/tests/hol4/misc-external/external_OpaqueTheory.sig
new file mode 100644
index 00000000..7cd7a08c
--- /dev/null
+++ b/tests/hol4/misc-external/external_OpaqueTheory.sig
@@ -0,0 +1,11 @@
+signature external_OpaqueTheory =
+sig
+ type thm = Thm.thm
+
+ val external_Opaque_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [external_Types] Parent theory of "external_Opaque"
+
+
+*)
+end
diff --git a/tests/hol4/misc-external/external_TypesScript.sml b/tests/hol4/misc-external/external_TypesScript.sml
new file mode 100644
index 00000000..d290c3f6
--- /dev/null
+++ b/tests/hol4/misc-external/external_TypesScript.sml
@@ -0,0 +1,13 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [external]: type definitions *)
+open primitivesLib divDefLib
+
+val _ = new_theory "external_Types"
+
+
+val _ = new_type ("core_num_nonzero_non_zero_u32_t", 0)
+
+(** The state type used in the state-error monad *)
+val _ = new_type ("state", 0)
+
+val _ = export_theory ()
diff --git a/tests/hol4/misc-external/external_TypesTheory.sig b/tests/hol4/misc-external/external_TypesTheory.sig
new file mode 100644
index 00000000..17e2e8e3
--- /dev/null
+++ b/tests/hol4/misc-external/external_TypesTheory.sig
@@ -0,0 +1,11 @@
+signature external_TypesTheory =
+sig
+ type thm = Thm.thm
+
+ val external_Types_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [divDef] Parent theory of "external_Types"
+
+
+*)
+end
diff --git a/tests/hol4/misc-loops/Holmakefile b/tests/hol4/misc-loops/Holmakefile
new file mode 100644
index 00000000..3c4b8973
--- /dev/null
+++ b/tests/hol4/misc-loops/Holmakefile
@@ -0,0 +1,5 @@
+# This file was automatically generated - modify ../Holmakefile.template instead
+INCLUDES = ../../../backends/hol4
+
+all: $(DEFAULT_TARGETS)
+.PHONY: all
diff --git a/tests/hol4/misc-loops/loops_FunsScript.sml b/tests/hol4/misc-loops/loops_FunsScript.sml
new file mode 100644
index 00000000..f0ef036b
--- /dev/null
+++ b/tests/hol4/misc-loops/loops_FunsScript.sml
@@ -0,0 +1,753 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [loops]: function definitions *)
+open primitivesLib divDefLib
+open loops_TypesTheory
+
+val _ = new_theory "loops_Funs"
+
+
+val [sum_loop_fwd_def] = DefineDiv ‘
+ (** [loops::sum] *)
+ sum_loop_fwd (max : u32) (i : u32) (s : u32) : u32 result =
+ if u32_lt i max
+ then (
+ do
+ s0 <- u32_add s i;
+ i0 <- u32_add i (int_to_u32 1);
+ sum_loop_fwd max i0 s0
+ od)
+ else u32_mul s (int_to_u32 2)
+’
+
+val sum_fwd_def = Define ‘
+ (** [loops::sum] *)
+ sum_fwd (max : u32) : u32 result =
+ sum_loop_fwd max (int_to_u32 0) (int_to_u32 0)
+’
+
+val [sum_with_mut_borrows_loop_fwd_def] = DefineDiv ‘
+ (** [loops::sum_with_mut_borrows] *)
+ sum_with_mut_borrows_loop_fwd
+ (max : u32) (mi : u32) (ms : u32) : u32 result =
+ if u32_lt mi max
+ then (
+ do
+ ms0 <- u32_add ms mi;
+ mi0 <- u32_add mi (int_to_u32 1);
+ sum_with_mut_borrows_loop_fwd max mi0 ms0
+ od)
+ else u32_mul ms (int_to_u32 2)
+’
+
+val sum_with_mut_borrows_fwd_def = Define ‘
+ (** [loops::sum_with_mut_borrows] *)
+ sum_with_mut_borrows_fwd (max : u32) : u32 result =
+ sum_with_mut_borrows_loop_fwd max (int_to_u32 0) (int_to_u32 0)
+’
+
+val [sum_with_shared_borrows_loop_fwd_def] = DefineDiv ‘
+ (** [loops::sum_with_shared_borrows] *)
+ sum_with_shared_borrows_loop_fwd
+ (max : u32) (i : u32) (s : u32) : u32 result =
+ if u32_lt i max
+ then (
+ do
+ i0 <- u32_add i (int_to_u32 1);
+ s0 <- u32_add s i0;
+ sum_with_shared_borrows_loop_fwd max i0 s0
+ od)
+ else u32_mul s (int_to_u32 2)
+’
+
+val sum_with_shared_borrows_fwd_def = Define ‘
+ (** [loops::sum_with_shared_borrows] *)
+ sum_with_shared_borrows_fwd (max : u32) : u32 result =
+ sum_with_shared_borrows_loop_fwd max (int_to_u32 0) (int_to_u32 0)
+’
+
+val [clear_loop_fwd_back_def] = DefineDiv ‘
+ (** [loops::clear] *)
+ clear_loop_fwd_back (v : u32 vec) (i : usize) : u32 vec result =
+ let i0 = vec_len v in
+ if usize_lt i i0
+ then (
+ do
+ i1 <- usize_add i (int_to_usize 1);
+ v0 <- vec_index_mut_back v i (int_to_u32 0);
+ clear_loop_fwd_back v0 i1
+ od)
+ else Return v
+’
+
+val clear_fwd_back_def = Define ‘
+ (** [loops::clear] *)
+ clear_fwd_back (v : u32 vec) : u32 vec result =
+ clear_loop_fwd_back v (int_to_usize 0)
+’
+
+val [list_mem_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_mem] *)
+ list_mem_loop_fwd (x : u32) (ls : u32 list_t) : bool result =
+ (case ls of
+ | ListCons y tl => if y = x then Return T else list_mem_loop_fwd x tl
+ | ListNil => Return F)
+’
+
+val list_mem_fwd_def = Define ‘
+ (** [loops::list_mem] *)
+ list_mem_fwd (x : u32) (ls : u32 list_t) : bool result =
+ list_mem_loop_fwd x ls
+’
+
+val [list_nth_mut_loop_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_loop] *)
+ list_nth_mut_loop_loop_fwd (ls : 't list_t) (i : u32) : 't result =
+ (case ls of
+ | ListCons x tl =>
+ if i = int_to_u32 0
+ then Return x
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_loop_loop_fwd tl i0
+ od)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_loop_fwd_def = Define ‘
+ (** [loops::list_nth_mut_loop] *)
+ list_nth_mut_loop_fwd (ls : 't list_t) (i : u32) : 't result =
+ list_nth_mut_loop_loop_fwd ls i
+’
+
+val [list_nth_mut_loop_loop_back_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_loop] *)
+ list_nth_mut_loop_loop_back
+ (ls : 't list_t) (i : u32) (ret : 't) : 't list_t result =
+ (case ls of
+ | ListCons x tl =>
+ if i = int_to_u32 0
+ then Return (ListCons ret tl)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl0 <- list_nth_mut_loop_loop_back tl i0 ret;
+ Return (ListCons x tl0)
+ od)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_loop_back_def = Define ‘
+ (** [loops::list_nth_mut_loop] *)
+ list_nth_mut_loop_back
+ (ls : 't list_t) (i : u32) (ret : 't) : 't list_t result =
+ list_nth_mut_loop_loop_back ls i ret
+’
+
+val [list_nth_shared_loop_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_shared_loop] *)
+ list_nth_shared_loop_loop_fwd (ls : 't list_t) (i : u32) : 't result =
+ (case ls of
+ | ListCons x tl =>
+ if i = int_to_u32 0
+ then Return x
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_loop_loop_fwd tl i0
+ od)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_shared_loop_fwd_def = Define ‘
+ (** [loops::list_nth_shared_loop] *)
+ list_nth_shared_loop_fwd (ls : 't list_t) (i : u32) : 't result =
+ list_nth_shared_loop_loop_fwd ls i
+’
+
+val [get_elem_mut_loop_fwd_def] = DefineDiv ‘
+ (** [loops::get_elem_mut] *)
+ get_elem_mut_loop_fwd (x : usize) (ls : usize list_t) : usize result =
+ (case ls of
+ | ListCons y tl => if y = x then Return y else get_elem_mut_loop_fwd x tl
+ | ListNil => Fail Failure)
+’
+
+val get_elem_mut_fwd_def = Define ‘
+ (** [loops::get_elem_mut] *)
+ get_elem_mut_fwd (slots : usize list_t vec) (x : usize) : usize result =
+ do
+ l <- vec_index_mut_fwd slots (int_to_usize 0);
+ get_elem_mut_loop_fwd x l
+ od
+’
+
+val [get_elem_mut_loop_back_def] = DefineDiv ‘
+ (** [loops::get_elem_mut] *)
+ get_elem_mut_loop_back
+ (x : usize) (ls : usize list_t) (ret : usize) : usize list_t result =
+ (case ls of
+ | ListCons y tl =>
+ if y = x
+ then Return (ListCons ret tl)
+ else (
+ do
+ tl0 <- get_elem_mut_loop_back x tl ret;
+ Return (ListCons y tl0)
+ od)
+ | ListNil => Fail Failure)
+’
+
+val get_elem_mut_back_def = Define ‘
+ (** [loops::get_elem_mut] *)
+ get_elem_mut_back
+ (slots : usize list_t vec) (x : usize) (ret : usize) :
+ usize list_t vec result
+ =
+ do
+ l <- vec_index_mut_fwd slots (int_to_usize 0);
+ l0 <- get_elem_mut_loop_back x l ret;
+ vec_index_mut_back slots (int_to_usize 0) l0
+ od
+’
+
+val [get_elem_shared_loop_fwd_def] = DefineDiv ‘
+ (** [loops::get_elem_shared] *)
+ get_elem_shared_loop_fwd (x : usize) (ls : usize list_t) : usize result =
+ (case ls of
+ | ListCons y tl =>
+ if y = x then Return y else get_elem_shared_loop_fwd x tl
+ | ListNil => Fail Failure)
+’
+
+val get_elem_shared_fwd_def = Define ‘
+ (** [loops::get_elem_shared] *)
+ get_elem_shared_fwd (slots : usize list_t vec) (x : usize) : usize result =
+ do
+ l <- vec_index_fwd slots (int_to_usize 0);
+ get_elem_shared_loop_fwd x l
+ od
+’
+
+val id_mut_fwd_def = Define ‘
+ (** [loops::id_mut] *)
+ id_mut_fwd (ls : 't list_t) : 't list_t result =
+ Return ls
+’
+
+val id_mut_back_def = Define ‘
+ (** [loops::id_mut] *)
+ id_mut_back (ls : 't list_t) (ret : 't list_t) : 't list_t result =
+ Return ret
+’
+
+val id_shared_fwd_def = Define ‘
+ (** [loops::id_shared] *)
+ id_shared_fwd (ls : 't list_t) : 't list_t result =
+ Return ls
+’
+
+val [list_nth_mut_loop_with_id_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_loop_with_id] *)
+ list_nth_mut_loop_with_id_loop_fwd (i : u32) (ls : 't list_t) : 't result =
+ (case ls of
+ | ListCons x tl =>
+ if i = int_to_u32 0
+ then Return x
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_loop_with_id_loop_fwd i0 tl
+ od)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_loop_with_id_fwd_def = Define ‘
+ (** [loops::list_nth_mut_loop_with_id] *)
+ list_nth_mut_loop_with_id_fwd (ls : 't list_t) (i : u32) : 't result =
+ do
+ ls0 <- id_mut_fwd ls;
+ list_nth_mut_loop_with_id_loop_fwd i ls0
+ od
+’
+
+val [list_nth_mut_loop_with_id_loop_back_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_loop_with_id] *)
+ list_nth_mut_loop_with_id_loop_back
+ (i : u32) (ls : 't list_t) (ret : 't) : 't list_t result =
+ (case ls of
+ | ListCons x tl =>
+ if i = int_to_u32 0
+ then Return (ListCons ret tl)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl0 <- list_nth_mut_loop_with_id_loop_back i0 tl ret;
+ Return (ListCons x tl0)
+ od)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_loop_with_id_back_def = Define ‘
+ (** [loops::list_nth_mut_loop_with_id] *)
+ list_nth_mut_loop_with_id_back
+ (ls : 't list_t) (i : u32) (ret : 't) : 't list_t result =
+ do
+ ls0 <- id_mut_fwd ls;
+ l <- list_nth_mut_loop_with_id_loop_back i ls0 ret;
+ id_mut_back ls l
+ od
+’
+
+val [list_nth_shared_loop_with_id_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_shared_loop_with_id] *)
+ list_nth_shared_loop_with_id_loop_fwd
+ (i : u32) (ls : 't list_t) : 't result =
+ (case ls of
+ | ListCons x tl =>
+ if i = int_to_u32 0
+ then Return x
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_loop_with_id_loop_fwd i0 tl
+ od)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_shared_loop_with_id_fwd_def = Define ‘
+ (** [loops::list_nth_shared_loop_with_id] *)
+ list_nth_shared_loop_with_id_fwd (ls : 't list_t) (i : u32) : 't result =
+ do
+ ls0 <- id_shared_fwd ls;
+ list_nth_shared_loop_with_id_loop_fwd i ls0
+ od
+’
+
+val [list_nth_mut_loop_pair_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_loop_pair] *)
+ list_nth_mut_loop_pair_loop_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (x0, x1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_loop_pair_loop_fwd tl0 tl1 i0
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_loop_pair_fwd_def = Define ‘
+ (** [loops::list_nth_mut_loop_pair] *)
+ list_nth_mut_loop_pair_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ list_nth_mut_loop_pair_loop_fwd ls0 ls1 i
+’
+
+val [list_nth_mut_loop_pair_loop_back'a_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_loop_pair] *)
+ list_nth_mut_loop_pair_loop_back'a
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (ListCons ret tl0)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl00 <- list_nth_mut_loop_pair_loop_back'a tl0 tl1 i0 ret;
+ Return (ListCons x0 tl00)
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_loop_pair_back'a_def = Define ‘
+ (** [loops::list_nth_mut_loop_pair] *)
+ list_nth_mut_loop_pair_back'a
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ list_nth_mut_loop_pair_loop_back'a ls0 ls1 i ret
+’
+
+val [list_nth_mut_loop_pair_loop_back'b_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_loop_pair] *)
+ list_nth_mut_loop_pair_loop_back'b
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (ListCons ret tl1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl10 <- list_nth_mut_loop_pair_loop_back'b tl0 tl1 i0 ret;
+ Return (ListCons x1 tl10)
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_loop_pair_back'b_def = Define ‘
+ (** [loops::list_nth_mut_loop_pair] *)
+ list_nth_mut_loop_pair_back'b
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ list_nth_mut_loop_pair_loop_back'b ls0 ls1 i ret
+’
+
+val [list_nth_shared_loop_pair_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_shared_loop_pair] *)
+ list_nth_shared_loop_pair_loop_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (x0, x1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_loop_pair_loop_fwd tl0 tl1 i0
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_shared_loop_pair_fwd_def = Define ‘
+ (** [loops::list_nth_shared_loop_pair] *)
+ list_nth_shared_loop_pair_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ list_nth_shared_loop_pair_loop_fwd ls0 ls1 i
+’
+
+val [list_nth_mut_loop_pair_merge_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_loop_pair_merge] *)
+ list_nth_mut_loop_pair_merge_loop_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (x0, x1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_loop_pair_merge_loop_fwd tl0 tl1 i0
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_loop_pair_merge_fwd_def = Define ‘
+ (** [loops::list_nth_mut_loop_pair_merge] *)
+ list_nth_mut_loop_pair_merge_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ list_nth_mut_loop_pair_merge_loop_fwd ls0 ls1 i
+’
+
+val [list_nth_mut_loop_pair_merge_loop_back_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_loop_pair_merge] *)
+ list_nth_mut_loop_pair_merge_loop_back
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : ('t # 't)) :
+ ('t list_t # 't list_t) result
+ =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then let (t, t0) = ret in Return (ListCons t tl0, ListCons t0 tl1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ (tl00, tl10) <-
+ list_nth_mut_loop_pair_merge_loop_back tl0 tl1 i0 ret;
+ Return (ListCons x0 tl00, ListCons x1 tl10)
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_loop_pair_merge_back_def = Define ‘
+ (** [loops::list_nth_mut_loop_pair_merge] *)
+ list_nth_mut_loop_pair_merge_back
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : ('t # 't)) :
+ ('t list_t # 't list_t) result
+ =
+ list_nth_mut_loop_pair_merge_loop_back ls0 ls1 i ret
+’
+
+val [list_nth_shared_loop_pair_merge_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_shared_loop_pair_merge] *)
+ list_nth_shared_loop_pair_merge_loop_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (x0, x1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_loop_pair_merge_loop_fwd tl0 tl1 i0
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_shared_loop_pair_merge_fwd_def = Define ‘
+ (** [loops::list_nth_shared_loop_pair_merge] *)
+ list_nth_shared_loop_pair_merge_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ list_nth_shared_loop_pair_merge_loop_fwd ls0 ls1 i
+’
+
+val [list_nth_mut_shared_loop_pair_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_shared_loop_pair] *)
+ list_nth_mut_shared_loop_pair_loop_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (x0, x1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_shared_loop_pair_loop_fwd tl0 tl1 i0
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_shared_loop_pair_fwd_def = Define ‘
+ (** [loops::list_nth_mut_shared_loop_pair] *)
+ list_nth_mut_shared_loop_pair_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ list_nth_mut_shared_loop_pair_loop_fwd ls0 ls1 i
+’
+
+val [list_nth_mut_shared_loop_pair_loop_back_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_shared_loop_pair] *)
+ list_nth_mut_shared_loop_pair_loop_back
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (ListCons ret tl0)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl00 <- list_nth_mut_shared_loop_pair_loop_back tl0 tl1 i0 ret;
+ Return (ListCons x0 tl00)
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_shared_loop_pair_back_def = Define ‘
+ (** [loops::list_nth_mut_shared_loop_pair] *)
+ list_nth_mut_shared_loop_pair_back
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ list_nth_mut_shared_loop_pair_loop_back ls0 ls1 i ret
+’
+
+val [list_nth_mut_shared_loop_pair_merge_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_shared_loop_pair_merge] *)
+ list_nth_mut_shared_loop_pair_merge_loop_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (x0, x1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_shared_loop_pair_merge_loop_fwd tl0 tl1 i0
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_shared_loop_pair_merge_fwd_def = Define ‘
+ (** [loops::list_nth_mut_shared_loop_pair_merge] *)
+ list_nth_mut_shared_loop_pair_merge_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ list_nth_mut_shared_loop_pair_merge_loop_fwd ls0 ls1 i
+’
+
+val [list_nth_mut_shared_loop_pair_merge_loop_back_def] = DefineDiv ‘
+ (** [loops::list_nth_mut_shared_loop_pair_merge] *)
+ list_nth_mut_shared_loop_pair_merge_loop_back
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (ListCons ret tl0)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl00 <- list_nth_mut_shared_loop_pair_merge_loop_back tl0 tl1 i0 ret;
+ Return (ListCons x0 tl00)
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_mut_shared_loop_pair_merge_back_def = Define ‘
+ (** [loops::list_nth_mut_shared_loop_pair_merge] *)
+ list_nth_mut_shared_loop_pair_merge_back
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ list_nth_mut_shared_loop_pair_merge_loop_back ls0 ls1 i ret
+’
+
+val [list_nth_shared_mut_loop_pair_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_shared_mut_loop_pair] *)
+ list_nth_shared_mut_loop_pair_loop_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (x0, x1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_mut_loop_pair_loop_fwd tl0 tl1 i0
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_shared_mut_loop_pair_fwd_def = Define ‘
+ (** [loops::list_nth_shared_mut_loop_pair] *)
+ list_nth_shared_mut_loop_pair_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ list_nth_shared_mut_loop_pair_loop_fwd ls0 ls1 i
+’
+
+val [list_nth_shared_mut_loop_pair_loop_back_def] = DefineDiv ‘
+ (** [loops::list_nth_shared_mut_loop_pair] *)
+ list_nth_shared_mut_loop_pair_loop_back
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (ListCons ret tl1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl10 <- list_nth_shared_mut_loop_pair_loop_back tl0 tl1 i0 ret;
+ Return (ListCons x1 tl10)
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_shared_mut_loop_pair_back_def = Define ‘
+ (** [loops::list_nth_shared_mut_loop_pair] *)
+ list_nth_shared_mut_loop_pair_back
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ list_nth_shared_mut_loop_pair_loop_back ls0 ls1 i ret
+’
+
+val [list_nth_shared_mut_loop_pair_merge_loop_fwd_def] = DefineDiv ‘
+ (** [loops::list_nth_shared_mut_loop_pair_merge] *)
+ list_nth_shared_mut_loop_pair_merge_loop_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (x0, x1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_mut_loop_pair_merge_loop_fwd tl0 tl1 i0
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_shared_mut_loop_pair_merge_fwd_def = Define ‘
+ (** [loops::list_nth_shared_mut_loop_pair_merge] *)
+ list_nth_shared_mut_loop_pair_merge_fwd
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) : ('t # 't) result =
+ list_nth_shared_mut_loop_pair_merge_loop_fwd ls0 ls1 i
+’
+
+val [list_nth_shared_mut_loop_pair_merge_loop_back_def] = DefineDiv ‘
+ (** [loops::list_nth_shared_mut_loop_pair_merge] *)
+ list_nth_shared_mut_loop_pair_merge_loop_back
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ (case ls0 of
+ | ListCons x0 tl0 =>
+ (case ls1 of
+ | ListCons x1 tl1 =>
+ if i = int_to_u32 0
+ then Return (ListCons ret tl1)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl10 <- list_nth_shared_mut_loop_pair_merge_loop_back tl0 tl1 i0 ret;
+ Return (ListCons x1 tl10)
+ od)
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure)
+’
+
+val list_nth_shared_mut_loop_pair_merge_back_def = Define ‘
+ (** [loops::list_nth_shared_mut_loop_pair_merge] *)
+ list_nth_shared_mut_loop_pair_merge_back
+ (ls0 : 't list_t) (ls1 : 't list_t) (i : u32) (ret : 't) :
+ 't list_t result
+ =
+ list_nth_shared_mut_loop_pair_merge_loop_back ls0 ls1 i ret
+’
+
+val _ = export_theory ()
diff --git a/tests/hol4/misc-loops/loops_FunsTheory.sig b/tests/hol4/misc-loops/loops_FunsTheory.sig
new file mode 100644
index 00000000..63fe56c9
--- /dev/null
+++ b/tests/hol4/misc-loops/loops_FunsTheory.sig
@@ -0,0 +1,731 @@
+signature loops_FunsTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val clear_fwd_back_def : thm
+ val clear_loop_fwd_back_def : thm
+ val get_elem_mut_back_def : thm
+ val get_elem_mut_fwd_def : thm
+ val get_elem_mut_loop_back_def : thm
+ val get_elem_mut_loop_fwd_def : thm
+ val get_elem_shared_fwd_def : thm
+ val get_elem_shared_loop_fwd_def : thm
+ val id_mut_back_def : thm
+ val id_mut_fwd_def : thm
+ val id_shared_fwd_def : thm
+ val list_mem_fwd_def : thm
+ val list_mem_loop_fwd_def : thm
+ val list_nth_mut_loop_back_def : thm
+ val list_nth_mut_loop_fwd_def : thm
+ val list_nth_mut_loop_loop_back_def : thm
+ val list_nth_mut_loop_loop_fwd_def : thm
+ val list_nth_mut_loop_pair_back'a_def : thm
+ val list_nth_mut_loop_pair_back'b_def : thm
+ val list_nth_mut_loop_pair_fwd_def : thm
+ val list_nth_mut_loop_pair_loop_back'a_def : thm
+ val list_nth_mut_loop_pair_loop_back'b_def : thm
+ val list_nth_mut_loop_pair_loop_fwd_def : thm
+ val list_nth_mut_loop_pair_merge_back_def : thm
+ val list_nth_mut_loop_pair_merge_fwd_def : thm
+ val list_nth_mut_loop_pair_merge_loop_back_def : thm
+ val list_nth_mut_loop_pair_merge_loop_fwd_def : thm
+ val list_nth_mut_loop_with_id_back_def : thm
+ val list_nth_mut_loop_with_id_fwd_def : thm
+ val list_nth_mut_loop_with_id_loop_back_def : thm
+ val list_nth_mut_loop_with_id_loop_fwd_def : thm
+ val list_nth_mut_shared_loop_pair_back_def : thm
+ val list_nth_mut_shared_loop_pair_fwd_def : thm
+ val list_nth_mut_shared_loop_pair_loop_back_def : thm
+ val list_nth_mut_shared_loop_pair_loop_fwd_def : thm
+ val list_nth_mut_shared_loop_pair_merge_back_def : thm
+ val list_nth_mut_shared_loop_pair_merge_fwd_def : thm
+ val list_nth_mut_shared_loop_pair_merge_loop_back_def : thm
+ val list_nth_mut_shared_loop_pair_merge_loop_fwd_def : thm
+ val list_nth_shared_loop_fwd_def : thm
+ val list_nth_shared_loop_loop_fwd_def : thm
+ val list_nth_shared_loop_pair_fwd_def : thm
+ val list_nth_shared_loop_pair_loop_fwd_def : thm
+ val list_nth_shared_loop_pair_merge_fwd_def : thm
+ val list_nth_shared_loop_pair_merge_loop_fwd_def : thm
+ val list_nth_shared_loop_with_id_fwd_def : thm
+ val list_nth_shared_loop_with_id_loop_fwd_def : thm
+ val list_nth_shared_mut_loop_pair_back_def : thm
+ val list_nth_shared_mut_loop_pair_fwd_def : thm
+ val list_nth_shared_mut_loop_pair_loop_back_def : thm
+ val list_nth_shared_mut_loop_pair_loop_fwd_def : thm
+ val list_nth_shared_mut_loop_pair_merge_back_def : thm
+ val list_nth_shared_mut_loop_pair_merge_fwd_def : thm
+ val list_nth_shared_mut_loop_pair_merge_loop_back_def : thm
+ val list_nth_shared_mut_loop_pair_merge_loop_fwd_def : thm
+ val sum_fwd_def : thm
+ val sum_loop_fwd_def : thm
+ val sum_with_mut_borrows_fwd_def : thm
+ val sum_with_mut_borrows_loop_fwd_def : thm
+ val sum_with_shared_borrows_fwd_def : thm
+ val sum_with_shared_borrows_loop_fwd_def : thm
+
+ val loops_Funs_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [loops_Types] Parent theory of "loops_Funs"
+
+ [clear_fwd_back_def] Definition
+
+ ⊢ ∀v. clear_fwd_back v = clear_loop_fwd_back v (int_to_usize 0)
+
+ [clear_loop_fwd_back_def] Definition
+
+ ⊢ ∀v i.
+ clear_loop_fwd_back v i =
+ (let
+ i0 = vec_len v
+ in
+ if usize_lt i i0 then
+ do
+ i1 <- usize_add i (int_to_usize 1);
+ v0 <- vec_index_mut_back v i (int_to_u32 0);
+ clear_loop_fwd_back v0 i1
+ od
+ else Return v)
+
+ [get_elem_mut_back_def] Definition
+
+ ⊢ ∀slots x ret.
+ get_elem_mut_back slots x ret =
+ do
+ l <- vec_index_mut_fwd slots (int_to_usize 0);
+ l0 <- get_elem_mut_loop_back x l ret;
+ vec_index_mut_back slots (int_to_usize 0) l0
+ od
+
+ [get_elem_mut_fwd_def] Definition
+
+ ⊢ ∀slots x.
+ get_elem_mut_fwd slots x =
+ do
+ l <- vec_index_mut_fwd slots (int_to_usize 0);
+ get_elem_mut_loop_fwd x l
+ od
+
+ [get_elem_mut_loop_back_def] Definition
+
+ ⊢ ∀x ls ret.
+ get_elem_mut_loop_back x ls ret =
+ case ls of
+ ListCons y tl =>
+ if y = x then Return (ListCons ret tl)
+ else
+ do
+ tl0 <- get_elem_mut_loop_back x tl ret;
+ Return (ListCons y tl0)
+ od
+ | ListNil => Fail Failure
+
+ [get_elem_mut_loop_fwd_def] Definition
+
+ ⊢ ∀x ls.
+ get_elem_mut_loop_fwd x ls =
+ case ls of
+ ListCons y tl =>
+ if y = x then Return y else get_elem_mut_loop_fwd x tl
+ | ListNil => Fail Failure
+
+ [get_elem_shared_fwd_def] Definition
+
+ ⊢ ∀slots x.
+ get_elem_shared_fwd slots x =
+ do
+ l <- vec_index_fwd slots (int_to_usize 0);
+ get_elem_shared_loop_fwd x l
+ od
+
+ [get_elem_shared_loop_fwd_def] Definition
+
+ ⊢ ∀x ls.
+ get_elem_shared_loop_fwd x ls =
+ case ls of
+ ListCons y tl =>
+ if y = x then Return y else get_elem_shared_loop_fwd x tl
+ | ListNil => Fail Failure
+
+ [id_mut_back_def] Definition
+
+ ⊢ ∀ls ret. id_mut_back ls ret = Return ret
+
+ [id_mut_fwd_def] Definition
+
+ ⊢ ∀ls. id_mut_fwd ls = Return ls
+
+ [id_shared_fwd_def] Definition
+
+ ⊢ ∀ls. id_shared_fwd ls = Return ls
+
+ [list_mem_fwd_def] Definition
+
+ ⊢ ∀x ls. list_mem_fwd x ls = list_mem_loop_fwd x ls
+
+ [list_mem_loop_fwd_def] Definition
+
+ ⊢ ∀x ls.
+ list_mem_loop_fwd x ls =
+ case ls of
+ ListCons y tl =>
+ if y = x then Return T else list_mem_loop_fwd x tl
+ | ListNil => Return F
+
+ [list_nth_mut_loop_back_def] Definition
+
+ ⊢ ∀ls i ret.
+ list_nth_mut_loop_back ls i ret =
+ list_nth_mut_loop_loop_back ls i ret
+
+ [list_nth_mut_loop_fwd_def] Definition
+
+ ⊢ ∀ls i. list_nth_mut_loop_fwd ls i = list_nth_mut_loop_loop_fwd ls i
+
+ [list_nth_mut_loop_loop_back_def] Definition
+
+ ⊢ ∀ls i ret.
+ list_nth_mut_loop_loop_back ls i ret =
+ case ls of
+ ListCons x tl =>
+ if i = int_to_u32 0 then Return (ListCons ret tl)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl0 <- list_nth_mut_loop_loop_back tl i0 ret;
+ Return (ListCons x tl0)
+ od
+ | ListNil => Fail Failure
+
+ [list_nth_mut_loop_loop_fwd_def] Definition
+
+ ⊢ ∀ls i.
+ list_nth_mut_loop_loop_fwd ls i =
+ case ls of
+ ListCons x tl =>
+ if i = int_to_u32 0 then Return x
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_loop_loop_fwd tl i0
+ od
+ | ListNil => Fail Failure
+
+ [list_nth_mut_loop_pair_back'a_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_mut_loop_pair_back'a ls0 ls1 i ret =
+ list_nth_mut_loop_pair_loop_back'a ls0 ls1 i ret
+
+ [list_nth_mut_loop_pair_back'b_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_mut_loop_pair_back'b ls0 ls1 i ret =
+ list_nth_mut_loop_pair_loop_back'b ls0 ls1 i ret
+
+ [list_nth_mut_loop_pair_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_mut_loop_pair_fwd ls0 ls1 i =
+ list_nth_mut_loop_pair_loop_fwd ls0 ls1 i
+
+ [list_nth_mut_loop_pair_loop_back'a_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_mut_loop_pair_loop_back'a ls0 ls1 i ret =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (ListCons ret tl0)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl00 <-
+ list_nth_mut_loop_pair_loop_back'a tl0 tl1 i0 ret;
+ Return (ListCons x0 tl00)
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_mut_loop_pair_loop_back'b_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_mut_loop_pair_loop_back'b ls0 ls1 i ret =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (ListCons ret tl1)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl10 <-
+ list_nth_mut_loop_pair_loop_back'b tl0 tl1 i0 ret;
+ Return (ListCons x1 tl10)
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_mut_loop_pair_loop_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_mut_loop_pair_loop_fwd ls0 ls1 i =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (x0,x1)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_loop_pair_loop_fwd tl0 tl1 i0
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_mut_loop_pair_merge_back_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_mut_loop_pair_merge_back ls0 ls1 i ret =
+ list_nth_mut_loop_pair_merge_loop_back ls0 ls1 i ret
+
+ [list_nth_mut_loop_pair_merge_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_mut_loop_pair_merge_fwd ls0 ls1 i =
+ list_nth_mut_loop_pair_merge_loop_fwd ls0 ls1 i
+
+ [list_nth_mut_loop_pair_merge_loop_back_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_mut_loop_pair_merge_loop_back ls0 ls1 i ret =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then
+ (let
+ (t,t0) = ret
+ in
+ Return (ListCons t tl0,ListCons t0 tl1))
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ (tl00,tl10) <-
+ list_nth_mut_loop_pair_merge_loop_back tl0 tl1 i0
+ ret;
+ Return (ListCons x0 tl00,ListCons x1 tl10)
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_mut_loop_pair_merge_loop_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_mut_loop_pair_merge_loop_fwd ls0 ls1 i =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (x0,x1)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_loop_pair_merge_loop_fwd tl0 tl1 i0
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_mut_loop_with_id_back_def] Definition
+
+ ⊢ ∀ls i ret.
+ list_nth_mut_loop_with_id_back ls i ret =
+ do
+ ls0 <- id_mut_fwd ls;
+ l <- list_nth_mut_loop_with_id_loop_back i ls0 ret;
+ id_mut_back ls l
+ od
+
+ [list_nth_mut_loop_with_id_fwd_def] Definition
+
+ ⊢ ∀ls i.
+ list_nth_mut_loop_with_id_fwd ls i =
+ do
+ ls0 <- id_mut_fwd ls;
+ list_nth_mut_loop_with_id_loop_fwd i ls0
+ od
+
+ [list_nth_mut_loop_with_id_loop_back_def] Definition
+
+ ⊢ ∀i ls ret.
+ list_nth_mut_loop_with_id_loop_back i ls ret =
+ case ls of
+ ListCons x tl =>
+ if i = int_to_u32 0 then Return (ListCons ret tl)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl0 <- list_nth_mut_loop_with_id_loop_back i0 tl ret;
+ Return (ListCons x tl0)
+ od
+ | ListNil => Fail Failure
+
+ [list_nth_mut_loop_with_id_loop_fwd_def] Definition
+
+ ⊢ ∀i ls.
+ list_nth_mut_loop_with_id_loop_fwd i ls =
+ case ls of
+ ListCons x tl =>
+ if i = int_to_u32 0 then Return x
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_loop_with_id_loop_fwd i0 tl
+ od
+ | ListNil => Fail Failure
+
+ [list_nth_mut_shared_loop_pair_back_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_mut_shared_loop_pair_back ls0 ls1 i ret =
+ list_nth_mut_shared_loop_pair_loop_back ls0 ls1 i ret
+
+ [list_nth_mut_shared_loop_pair_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_mut_shared_loop_pair_fwd ls0 ls1 i =
+ list_nth_mut_shared_loop_pair_loop_fwd ls0 ls1 i
+
+ [list_nth_mut_shared_loop_pair_loop_back_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_mut_shared_loop_pair_loop_back ls0 ls1 i ret =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (ListCons ret tl0)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl00 <-
+ list_nth_mut_shared_loop_pair_loop_back tl0 tl1 i0
+ ret;
+ Return (ListCons x0 tl00)
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_mut_shared_loop_pair_loop_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_mut_shared_loop_pair_loop_fwd ls0 ls1 i =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (x0,x1)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_shared_loop_pair_loop_fwd tl0 tl1 i0
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_mut_shared_loop_pair_merge_back_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_mut_shared_loop_pair_merge_back ls0 ls1 i ret =
+ list_nth_mut_shared_loop_pair_merge_loop_back ls0 ls1 i ret
+
+ [list_nth_mut_shared_loop_pair_merge_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_mut_shared_loop_pair_merge_fwd ls0 ls1 i =
+ list_nth_mut_shared_loop_pair_merge_loop_fwd ls0 ls1 i
+
+ [list_nth_mut_shared_loop_pair_merge_loop_back_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_mut_shared_loop_pair_merge_loop_back ls0 ls1 i ret =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (ListCons ret tl0)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl00 <-
+ list_nth_mut_shared_loop_pair_merge_loop_back tl0
+ tl1 i0 ret;
+ Return (ListCons x0 tl00)
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_mut_shared_loop_pair_merge_loop_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_mut_shared_loop_pair_merge_loop_fwd ls0 ls1 i =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (x0,x1)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_shared_loop_pair_merge_loop_fwd tl0 tl1
+ i0
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_shared_loop_fwd_def] Definition
+
+ ⊢ ∀ls i.
+ list_nth_shared_loop_fwd ls i =
+ list_nth_shared_loop_loop_fwd ls i
+
+ [list_nth_shared_loop_loop_fwd_def] Definition
+
+ ⊢ ∀ls i.
+ list_nth_shared_loop_loop_fwd ls i =
+ case ls of
+ ListCons x tl =>
+ if i = int_to_u32 0 then Return x
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_loop_loop_fwd tl i0
+ od
+ | ListNil => Fail Failure
+
+ [list_nth_shared_loop_pair_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_shared_loop_pair_fwd ls0 ls1 i =
+ list_nth_shared_loop_pair_loop_fwd ls0 ls1 i
+
+ [list_nth_shared_loop_pair_loop_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_shared_loop_pair_loop_fwd ls0 ls1 i =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (x0,x1)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_loop_pair_loop_fwd tl0 tl1 i0
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_shared_loop_pair_merge_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_shared_loop_pair_merge_fwd ls0 ls1 i =
+ list_nth_shared_loop_pair_merge_loop_fwd ls0 ls1 i
+
+ [list_nth_shared_loop_pair_merge_loop_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_shared_loop_pair_merge_loop_fwd ls0 ls1 i =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (x0,x1)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_loop_pair_merge_loop_fwd tl0 tl1 i0
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_shared_loop_with_id_fwd_def] Definition
+
+ ⊢ ∀ls i.
+ list_nth_shared_loop_with_id_fwd ls i =
+ do
+ ls0 <- id_shared_fwd ls;
+ list_nth_shared_loop_with_id_loop_fwd i ls0
+ od
+
+ [list_nth_shared_loop_with_id_loop_fwd_def] Definition
+
+ ⊢ ∀i ls.
+ list_nth_shared_loop_with_id_loop_fwd i ls =
+ case ls of
+ ListCons x tl =>
+ if i = int_to_u32 0 then Return x
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_loop_with_id_loop_fwd i0 tl
+ od
+ | ListNil => Fail Failure
+
+ [list_nth_shared_mut_loop_pair_back_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_shared_mut_loop_pair_back ls0 ls1 i ret =
+ list_nth_shared_mut_loop_pair_loop_back ls0 ls1 i ret
+
+ [list_nth_shared_mut_loop_pair_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_shared_mut_loop_pair_fwd ls0 ls1 i =
+ list_nth_shared_mut_loop_pair_loop_fwd ls0 ls1 i
+
+ [list_nth_shared_mut_loop_pair_loop_back_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_shared_mut_loop_pair_loop_back ls0 ls1 i ret =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (ListCons ret tl1)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl10 <-
+ list_nth_shared_mut_loop_pair_loop_back tl0 tl1 i0
+ ret;
+ Return (ListCons x1 tl10)
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_shared_mut_loop_pair_loop_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_shared_mut_loop_pair_loop_fwd ls0 ls1 i =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (x0,x1)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_mut_loop_pair_loop_fwd tl0 tl1 i0
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_shared_mut_loop_pair_merge_back_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_shared_mut_loop_pair_merge_back ls0 ls1 i ret =
+ list_nth_shared_mut_loop_pair_merge_loop_back ls0 ls1 i ret
+
+ [list_nth_shared_mut_loop_pair_merge_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_shared_mut_loop_pair_merge_fwd ls0 ls1 i =
+ list_nth_shared_mut_loop_pair_merge_loop_fwd ls0 ls1 i
+
+ [list_nth_shared_mut_loop_pair_merge_loop_back_def] Definition
+
+ ⊢ ∀ls0 ls1 i ret.
+ list_nth_shared_mut_loop_pair_merge_loop_back ls0 ls1 i ret =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (ListCons ret tl1)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl10 <-
+ list_nth_shared_mut_loop_pair_merge_loop_back tl0
+ tl1 i0 ret;
+ Return (ListCons x1 tl10)
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [list_nth_shared_mut_loop_pair_merge_loop_fwd_def] Definition
+
+ ⊢ ∀ls0 ls1 i.
+ list_nth_shared_mut_loop_pair_merge_loop_fwd ls0 ls1 i =
+ case ls0 of
+ ListCons x0 tl0 =>
+ (case ls1 of
+ ListCons x1 tl1 =>
+ if i = int_to_u32 0 then Return (x0,x1)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_mut_loop_pair_merge_loop_fwd tl0 tl1
+ i0
+ od
+ | ListNil => Fail Failure)
+ | ListNil => Fail Failure
+
+ [sum_fwd_def] Definition
+
+ ⊢ ∀max. sum_fwd max = sum_loop_fwd max (int_to_u32 0) (int_to_u32 0)
+
+ [sum_loop_fwd_def] Definition
+
+ ⊢ ∀max i s.
+ sum_loop_fwd max i s =
+ if u32_lt i max then
+ do
+ s0 <- u32_add s i;
+ i0 <- u32_add i (int_to_u32 1);
+ sum_loop_fwd max i0 s0
+ od
+ else u32_mul s (int_to_u32 2)
+
+ [sum_with_mut_borrows_fwd_def] Definition
+
+ ⊢ ∀max.
+ sum_with_mut_borrows_fwd max =
+ sum_with_mut_borrows_loop_fwd max (int_to_u32 0) (int_to_u32 0)
+
+ [sum_with_mut_borrows_loop_fwd_def] Definition
+
+ ⊢ ∀max mi ms.
+ sum_with_mut_borrows_loop_fwd max mi ms =
+ if u32_lt mi max then
+ do
+ ms0 <- u32_add ms mi;
+ mi0 <- u32_add mi (int_to_u32 1);
+ sum_with_mut_borrows_loop_fwd max mi0 ms0
+ od
+ else u32_mul ms (int_to_u32 2)
+
+ [sum_with_shared_borrows_fwd_def] Definition
+
+ ⊢ ∀max.
+ sum_with_shared_borrows_fwd max =
+ sum_with_shared_borrows_loop_fwd max (int_to_u32 0)
+ (int_to_u32 0)
+
+ [sum_with_shared_borrows_loop_fwd_def] Definition
+
+ ⊢ ∀max i s.
+ sum_with_shared_borrows_loop_fwd max i s =
+ if u32_lt i max then
+ do
+ i0 <- u32_add i (int_to_u32 1);
+ s0 <- u32_add s i0;
+ sum_with_shared_borrows_loop_fwd max i0 s0
+ od
+ else u32_mul s (int_to_u32 2)
+
+
+*)
+end
diff --git a/tests/hol4/misc-loops/loops_TypesScript.sml b/tests/hol4/misc-loops/loops_TypesScript.sml
new file mode 100644
index 00000000..e3e5b8d1
--- /dev/null
+++ b/tests/hol4/misc-loops/loops_TypesScript.sml
@@ -0,0 +1,13 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [loops]: type definitions *)
+open primitivesLib divDefLib
+
+val _ = new_theory "loops_Types"
+
+
+Datatype:
+ (** [loops::List] *)
+ list_t = | ListCons 't list_t | ListNil
+End
+
+val _ = export_theory ()
diff --git a/tests/hol4/misc-loops/loops_TypesTheory.sig b/tests/hol4/misc-loops/loops_TypesTheory.sig
new file mode 100644
index 00000000..c3e638d8
--- /dev/null
+++ b/tests/hol4/misc-loops/loops_TypesTheory.sig
@@ -0,0 +1,94 @@
+signature loops_TypesTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val list_t_TY_DEF : thm
+ val list_t_case_def : thm
+ val list_t_size_def : thm
+
+ (* Theorems *)
+ val datatype_list_t : thm
+ val list_t_11 : thm
+ val list_t_Axiom : thm
+ val list_t_case_cong : thm
+ val list_t_case_eq : thm
+ val list_t_distinct : thm
+ val list_t_induction : thm
+ val list_t_nchotomy : thm
+
+ val loops_Types_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [divDef] Parent theory of "loops_Types"
+
+ [list_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('list_t').
+ (∀a0'.
+ (∃a0 a1.
+ a0' =
+ (λa0 a1.
+ ind_type$CONSTR 0 a0
+ (ind_type$FCONS a1 (λn. ind_type$BOTTOM)))
+ a0 a1 ∧ $var$('list_t') a1) ∨
+ a0' =
+ ind_type$CONSTR (SUC 0) ARB (λn. ind_type$BOTTOM) ⇒
+ $var$('list_t') a0') ⇒
+ $var$('list_t') a0') rep
+
+ [list_t_case_def] Definition
+
+ ⊢ (∀a0 a1 f v. list_t_CASE (ListCons a0 a1) f v = f a0 a1) ∧
+ ∀f v. list_t_CASE ListNil f v = v
+
+ [list_t_size_def] Definition
+
+ ⊢ (∀f a0 a1.
+ list_t_size f (ListCons a0 a1) = 1 + (f a0 + list_t_size f a1)) ∧
+ ∀f. list_t_size f ListNil = 0
+
+ [datatype_list_t] Theorem
+
+ ⊢ DATATYPE (list_t ListCons ListNil)
+
+ [list_t_11] Theorem
+
+ ⊢ ∀a0 a1 a0' a1'.
+ ListCons a0 a1 = ListCons a0' a1' ⇔ a0 = a0' ∧ a1 = a1'
+
+ [list_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1. ∃fn.
+ (∀a0 a1. fn (ListCons a0 a1) = f0 a0 a1 (fn a1)) ∧
+ fn ListNil = f1
+
+ [list_t_case_cong] Theorem
+
+ ⊢ ∀M M' f v.
+ M = M' ∧ (∀a0 a1. M' = ListCons a0 a1 ⇒ f a0 a1 = f' a0 a1) ∧
+ (M' = ListNil ⇒ v = v') ⇒
+ list_t_CASE M f v = list_t_CASE M' f' v'
+
+ [list_t_case_eq] Theorem
+
+ ⊢ list_t_CASE x f v = v' ⇔
+ (∃t l. x = ListCons t l ∧ f t l = v') ∨ x = ListNil ∧ v = v'
+
+ [list_t_distinct] Theorem
+
+ ⊢ ∀a1 a0. ListCons a0 a1 ≠ ListNil
+
+ [list_t_induction] Theorem
+
+ ⊢ ∀P. (∀l. P l ⇒ ∀t. P (ListCons t l)) ∧ P ListNil ⇒ ∀l. P l
+
+ [list_t_nchotomy] Theorem
+
+ ⊢ ∀ll. (∃t l. ll = ListCons t l) ∨ ll = ListNil
+
+
+*)
+end
diff --git a/tests/hol4/misc-no_nested_borrows/Holmakefile b/tests/hol4/misc-no_nested_borrows/Holmakefile
new file mode 100644
index 00000000..3c4b8973
--- /dev/null
+++ b/tests/hol4/misc-no_nested_borrows/Holmakefile
@@ -0,0 +1,5 @@
+# This file was automatically generated - modify ../Holmakefile.template instead
+INCLUDES = ../../../backends/hol4
+
+all: $(DEFAULT_TARGETS)
+.PHONY: all
diff --git a/tests/hol4/misc-no_nested_borrows/noNestedBorrowsScript.sml b/tests/hol4/misc-no_nested_borrows/noNestedBorrowsScript.sml
new file mode 100644
index 00000000..c8b106cd
--- /dev/null
+++ b/tests/hol4/misc-no_nested_borrows/noNestedBorrowsScript.sml
@@ -0,0 +1,590 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [no_nested_borrows] *)
+open primitivesLib divDefLib
+
+val _ = new_theory "noNestedBorrows"
+
+
+Datatype:
+ (** [no_nested_borrows::Pair] *)
+ pair_t = <| pair_x : 't1; pair_y : 't2; |>
+End
+
+Datatype:
+ (** [no_nested_borrows::List] *)
+ list_t = | ListCons 't list_t | ListNil
+End
+
+Datatype:
+ (** [no_nested_borrows::One] *)
+ one_t = | OneOne 't1
+End
+
+Datatype:
+ (** [no_nested_borrows::EmptyEnum] *)
+ empty_enum_t = | EmptyEnumEmpty
+End
+
+Datatype:
+ (** [no_nested_borrows::Enum] *)
+ enum_t = | EnumVariant1 | EnumVariant2
+End
+
+Type empty_struct_t = “: unit”
+
+Datatype:
+ (** [no_nested_borrows::Sum] *)
+ sum_t = | SumLeft 't1 | SumRight 't2
+End
+
+val neg_test_fwd_def = Define ‘
+ (** [no_nested_borrows::neg_test] *)
+ neg_test_fwd (x : i32) : i32 result =
+ i32_neg x
+’
+
+val add_test_fwd_def = Define ‘
+ (** [no_nested_borrows::add_test] *)
+ add_test_fwd (x : u32) (y : u32) : u32 result =
+ u32_add x y
+’
+
+val subs_test_fwd_def = Define ‘
+ (** [no_nested_borrows::subs_test] *)
+ subs_test_fwd (x : u32) (y : u32) : u32 result =
+ u32_sub x y
+’
+
+val div_test_fwd_def = Define ‘
+ (** [no_nested_borrows::div_test] *)
+ div_test_fwd (x : u32) (y : u32) : u32 result =
+ u32_div x y
+’
+
+val div_test1_fwd_def = Define ‘
+ (** [no_nested_borrows::div_test1] *)
+ div_test1_fwd (x : u32) : u32 result =
+ u32_div x (int_to_u32 2)
+’
+
+val rem_test_fwd_def = Define ‘
+ (** [no_nested_borrows::rem_test] *)
+ rem_test_fwd (x : u32) (y : u32) : u32 result =
+ u32_rem x y
+’
+
+val cast_test_fwd_def = Define ‘
+ (** [no_nested_borrows::cast_test] *)
+ cast_test_fwd (x : u32) : i32 result =
+ mk_i32 (u32_to_int x)
+’
+
+val test2_fwd_def = Define ‘
+ (** [no_nested_borrows::test2] *)
+ test2_fwd : unit result =
+ do
+ _ <- u32_add (int_to_u32 23) (int_to_u32 44);
+ Return ()
+ od
+’
+
+(** Unit test for [no_nested_borrows::test2] *)
+val _ = assert_return (“test2_fwd”)
+
+val get_max_fwd_def = Define ‘
+ (** [no_nested_borrows::get_max] *)
+ get_max_fwd (x : u32) (y : u32) : u32 result =
+ if u32_ge x y then Return x else Return y
+’
+
+val test3_fwd_def = Define ‘
+ (** [no_nested_borrows::test3] *)
+ test3_fwd : unit result =
+ do
+ x <- get_max_fwd (int_to_u32 4) (int_to_u32 3);
+ y <- get_max_fwd (int_to_u32 10) (int_to_u32 11);
+ z <- u32_add x y;
+ if ~ (z = int_to_u32 15) then Fail Failure else Return ()
+ od
+’
+
+(** Unit test for [no_nested_borrows::test3] *)
+val _ = assert_return (“test3_fwd”)
+
+val test_neg1_fwd_def = Define ‘
+ (** [no_nested_borrows::test_neg1] *)
+ test_neg1_fwd : unit result =
+ do
+ y <- i32_neg (int_to_i32 3);
+ if ~ (y = int_to_i32 (-3)) then Fail Failure else Return ()
+ od
+’
+
+(** Unit test for [no_nested_borrows::test_neg1] *)
+val _ = assert_return (“test_neg1_fwd”)
+
+val refs_test1_fwd_def = Define ‘
+ (** [no_nested_borrows::refs_test1] *)
+ refs_test1_fwd : unit result =
+ if ~ (int_to_i32 1 = int_to_i32 1) then Fail Failure else Return ()
+’
+
+(** Unit test for [no_nested_borrows::refs_test1] *)
+val _ = assert_return (“refs_test1_fwd”)
+
+val refs_test2_fwd_def = Define ‘
+ (** [no_nested_borrows::refs_test2] *)
+ refs_test2_fwd : unit result =
+ if ~ (int_to_i32 2 = int_to_i32 2)
+ then Fail Failure
+ else
+ if ~ (int_to_i32 0 = int_to_i32 0)
+ then Fail Failure
+ else
+ if ~ (int_to_i32 2 = int_to_i32 2)
+ then Fail Failure
+ else
+ if ~ (int_to_i32 2 = int_to_i32 2) then Fail Failure else Return ()
+’
+
+(** Unit test for [no_nested_borrows::refs_test2] *)
+val _ = assert_return (“refs_test2_fwd”)
+
+val test_list1_fwd_def = Define ‘
+ (** [no_nested_borrows::test_list1] *)
+ test_list1_fwd : unit result =
+ Return ()
+’
+
+(** Unit test for [no_nested_borrows::test_list1] *)
+val _ = assert_return (“test_list1_fwd”)
+
+val test_box1_fwd_def = Define ‘
+ (** [no_nested_borrows::test_box1] *)
+ test_box1_fwd : unit result =
+ let b = int_to_i32 1 in
+ let x = b in
+ if ~ (x = int_to_i32 1) then Fail Failure else Return ()
+’
+
+(** Unit test for [no_nested_borrows::test_box1] *)
+val _ = assert_return (“test_box1_fwd”)
+
+val copy_int_fwd_def = Define ‘
+ (** [no_nested_borrows::copy_int] *)
+ copy_int_fwd (x : i32) : i32 result =
+ Return x
+’
+
+val test_unreachable_fwd_def = Define ‘
+ (** [no_nested_borrows::test_unreachable] *)
+ test_unreachable_fwd (b : bool) : unit result =
+ if b then Fail Failure else Return ()
+’
+
+val test_panic_fwd_def = Define ‘
+ (** [no_nested_borrows::test_panic] *)
+ test_panic_fwd (b : bool) : unit result =
+ if b then Fail Failure else Return ()
+’
+
+val test_copy_int_fwd_def = Define ‘
+ (** [no_nested_borrows::test_copy_int] *)
+ test_copy_int_fwd : unit result =
+ do
+ y <- copy_int_fwd (int_to_i32 0);
+ if ~ (int_to_i32 0 = y) then Fail Failure else Return ()
+ od
+’
+
+(** Unit test for [no_nested_borrows::test_copy_int] *)
+val _ = assert_return (“test_copy_int_fwd”)
+
+val is_cons_fwd_def = Define ‘
+ (** [no_nested_borrows::is_cons] *)
+ is_cons_fwd (l : 't list_t) : bool result =
+ (case l of | ListCons t l0 => Return T | ListNil => Return F)
+’
+
+val test_is_cons_fwd_def = Define ‘
+ (** [no_nested_borrows::test_is_cons] *)
+ test_is_cons_fwd : unit result =
+ let l = ListNil in
+ do
+ b <- is_cons_fwd (ListCons (int_to_i32 0) l);
+ if ~ b then Fail Failure else Return ()
+ od
+’
+
+(** Unit test for [no_nested_borrows::test_is_cons] *)
+val _ = assert_return (“test_is_cons_fwd”)
+
+val split_list_fwd_def = Define ‘
+ (** [no_nested_borrows::split_list] *)
+ split_list_fwd (l : 't list_t) : ('t # 't list_t) result =
+ (case l of | ListCons hd tl => Return (hd, tl) | ListNil => Fail Failure)
+’
+
+val test_split_list_fwd_def = Define ‘
+ (** [no_nested_borrows::test_split_list] *)
+ test_split_list_fwd : unit result =
+ let l = ListNil in
+ do
+ p <- split_list_fwd (ListCons (int_to_i32 0) l);
+ let (hd, _) = p in
+ if ~ (hd = int_to_i32 0) then Fail Failure else Return ()
+ od
+’
+
+(** Unit test for [no_nested_borrows::test_split_list] *)
+val _ = assert_return (“test_split_list_fwd”)
+
+val choose_fwd_def = Define ‘
+ (** [no_nested_borrows::choose] *)
+ choose_fwd (b : bool) (x : 't) (y : 't) : 't result =
+ if b then Return x else Return y
+’
+
+val choose_back_def = Define ‘
+ (** [no_nested_borrows::choose] *)
+ choose_back (b : bool) (x : 't) (y : 't) (ret : 't) : ('t # 't) result =
+ if b then Return (ret, y) else Return (x, ret)
+’
+
+val choose_test_fwd_def = Define ‘
+ (** [no_nested_borrows::choose_test] *)
+ choose_test_fwd : unit result =
+ do
+ z <- choose_fwd T (int_to_i32 0) (int_to_i32 0);
+ z0 <- i32_add z (int_to_i32 1);
+ if ~ (z0 = int_to_i32 1)
+ then Fail Failure
+ else (
+ do
+ (x, y) <- choose_back T (int_to_i32 0) (int_to_i32 0) z0;
+ if ~ (x = int_to_i32 1)
+ then Fail Failure
+ else if ~ (y = int_to_i32 0) then Fail Failure else Return ()
+ od)
+ od
+’
+
+(** Unit test for [no_nested_borrows::choose_test] *)
+val _ = assert_return (“choose_test_fwd”)
+
+val test_char_fwd_def = Define ‘
+ (** [no_nested_borrows::test_char] *)
+ test_char_fwd : char result =
+ Return #"a"
+’
+
+Datatype:
+ (** [no_nested_borrows::NodeElem] *)
+ node_elem_t = | NodeElemCons tree_t node_elem_t | NodeElemNil ;
+
+ (** [no_nested_borrows::Tree] *)
+ tree_t = | TreeLeaf 't | TreeNode 't node_elem_t tree_t
+End
+
+val [list_length_fwd_def] = DefineDiv ‘
+ (** [no_nested_borrows::list_length] *)
+ list_length_fwd (l : 't list_t) : u32 result =
+ (case l of
+ | ListCons t l1 => do
+ i <- list_length_fwd l1;
+ u32_add (int_to_u32 1) i
+ od
+ | ListNil => Return (int_to_u32 0))
+’
+
+val [list_nth_shared_fwd_def] = DefineDiv ‘
+ (** [no_nested_borrows::list_nth_shared] *)
+ list_nth_shared_fwd (l : 't list_t) (i : u32) : 't result =
+ (case l of
+ | ListCons x tl =>
+ if i = int_to_u32 0
+ then Return x
+ else (do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_fwd tl i0
+ od)
+ | ListNil => Fail Failure)
+’
+
+val [list_nth_mut_fwd_def] = DefineDiv ‘
+ (** [no_nested_borrows::list_nth_mut] *)
+ list_nth_mut_fwd (l : 't list_t) (i : u32) : 't result =
+ (case l of
+ | ListCons x tl =>
+ if i = int_to_u32 0
+ then Return x
+ else (do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_fwd tl i0
+ od)
+ | ListNil => Fail Failure)
+’
+
+val [list_nth_mut_back_def] = DefineDiv ‘
+ (** [no_nested_borrows::list_nth_mut] *)
+ list_nth_mut_back (l : 't list_t) (i : u32) (ret : 't) : 't list_t result =
+ (case l of
+ | ListCons x tl =>
+ if i = int_to_u32 0
+ then Return (ListCons ret tl)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl0 <- list_nth_mut_back tl i0 ret;
+ Return (ListCons x tl0)
+ od)
+ | ListNil => Fail Failure)
+’
+
+val [list_rev_aux_fwd_def] = DefineDiv ‘
+ (** [no_nested_borrows::list_rev_aux] *)
+ list_rev_aux_fwd (li : 't list_t) (lo : 't list_t) : 't list_t result =
+ (case li of
+ | ListCons hd tl => list_rev_aux_fwd tl (ListCons hd lo)
+ | ListNil => Return lo)
+’
+
+val list_rev_fwd_back_def = Define ‘
+ (** [no_nested_borrows::list_rev] *)
+ list_rev_fwd_back (l : 't list_t) : 't list_t result =
+ let li = mem_replace_fwd l ListNil in list_rev_aux_fwd li ListNil
+’
+
+val test_list_functions_fwd_def = Define ‘
+ (** [no_nested_borrows::test_list_functions] *)
+ test_list_functions_fwd : unit result =
+ let l = ListNil in
+ let l0 = ListCons (int_to_i32 2) l in
+ let l1 = ListCons (int_to_i32 1) l0 in
+ do
+ i <- list_length_fwd (ListCons (int_to_i32 0) l1);
+ if ~ (i = int_to_u32 3)
+ then Fail Failure
+ else (
+ do
+ i0 <- list_nth_shared_fwd (ListCons (int_to_i32 0) l1) (int_to_u32 0);
+ if ~ (i0 = int_to_i32 0)
+ then Fail Failure
+ else (
+ do
+ i1 <- list_nth_shared_fwd (ListCons (int_to_i32 0) l1) (int_to_u32 1);
+ if ~ (i1 = int_to_i32 1)
+ then Fail Failure
+ else (
+ do
+ i2 <-
+ list_nth_shared_fwd (ListCons (int_to_i32 0) l1) (int_to_u32 2);
+ if ~ (i2 = int_to_i32 2)
+ then Fail Failure
+ else (
+ do
+ ls <-
+ list_nth_mut_back (ListCons (int_to_i32 0) l1) (int_to_u32 1)
+ (int_to_i32 3);
+ i3 <- list_nth_shared_fwd ls (int_to_u32 0);
+ if ~ (i3 = int_to_i32 0)
+ then Fail Failure
+ else (
+ do
+ i4 <- list_nth_shared_fwd ls (int_to_u32 1);
+ if ~ (i4 = int_to_i32 3)
+ then Fail Failure
+ else (
+ do
+ i5 <- list_nth_shared_fwd ls (int_to_u32 2);
+ if ~ (i5 = int_to_i32 2) then Fail Failure else Return ()
+ od)
+ od)
+ od)
+ od)
+ od)
+ od)
+ od
+’
+
+(** Unit test for [no_nested_borrows::test_list_functions] *)
+val _ = assert_return (“test_list_functions_fwd”)
+
+val id_mut_pair1_fwd_def = Define ‘
+ (** [no_nested_borrows::id_mut_pair1] *)
+ id_mut_pair1_fwd (x : 't1) (y : 't2) : ('t1 # 't2) result =
+ Return (x, y)
+’
+
+val id_mut_pair1_back_def = Define ‘
+ (** [no_nested_borrows::id_mut_pair1] *)
+ id_mut_pair1_back
+ (x : 't1) (y : 't2) (ret : ('t1 # 't2)) : ('t1 # 't2) result =
+ let (t, t0) = ret in Return (t, t0)
+’
+
+val id_mut_pair2_fwd_def = Define ‘
+ (** [no_nested_borrows::id_mut_pair2] *)
+ id_mut_pair2_fwd (p : ('t1 # 't2)) : ('t1 # 't2) result =
+ let (t, t0) = p in Return (t, t0)
+’
+
+val id_mut_pair2_back_def = Define ‘
+ (** [no_nested_borrows::id_mut_pair2] *)
+ id_mut_pair2_back
+ (p : ('t1 # 't2)) (ret : ('t1 # 't2)) : ('t1 # 't2) result =
+ let (t, t0) = ret in Return (t, t0)
+’
+
+val id_mut_pair3_fwd_def = Define ‘
+ (** [no_nested_borrows::id_mut_pair3] *)
+ id_mut_pair3_fwd (x : 't1) (y : 't2) : ('t1 # 't2) result =
+ Return (x, y)
+’
+
+val id_mut_pair3_back'a_def = Define ‘
+ (** [no_nested_borrows::id_mut_pair3] *)
+ id_mut_pair3_back'a (x : 't1) (y : 't2) (ret : 't1) : 't1 result =
+ Return ret
+’
+
+val id_mut_pair3_back'b_def = Define ‘
+ (** [no_nested_borrows::id_mut_pair3] *)
+ id_mut_pair3_back'b (x : 't1) (y : 't2) (ret : 't2) : 't2 result =
+ Return ret
+’
+
+val id_mut_pair4_fwd_def = Define ‘
+ (** [no_nested_borrows::id_mut_pair4] *)
+ id_mut_pair4_fwd (p : ('t1 # 't2)) : ('t1 # 't2) result =
+ let (t, t0) = p in Return (t, t0)
+’
+
+val id_mut_pair4_back'a_def = Define ‘
+ (** [no_nested_borrows::id_mut_pair4] *)
+ id_mut_pair4_back'a (p : ('t1 # 't2)) (ret : 't1) : 't1 result =
+ Return ret
+’
+
+val id_mut_pair4_back'b_def = Define ‘
+ (** [no_nested_borrows::id_mut_pair4] *)
+ id_mut_pair4_back'b (p : ('t1 # 't2)) (ret : 't2) : 't2 result =
+ Return ret
+’
+
+Datatype:
+ (** [no_nested_borrows::StructWithTuple] *)
+ struct_with_tuple_t = <| struct_with_tuple_p : ('t1 # 't2); |>
+End
+
+val new_tuple1_fwd_def = Define ‘
+ (** [no_nested_borrows::new_tuple1] *)
+ new_tuple1_fwd : (u32, u32) struct_with_tuple_t result =
+ Return (<| struct_with_tuple_p := (int_to_u32 1, int_to_u32 2) |>)
+’
+
+val new_tuple2_fwd_def = Define ‘
+ (** [no_nested_borrows::new_tuple2] *)
+ new_tuple2_fwd : (i16, i16) struct_with_tuple_t result =
+ Return (<| struct_with_tuple_p := (int_to_i16 1, int_to_i16 2) |>)
+’
+
+val new_tuple3_fwd_def = Define ‘
+ (** [no_nested_borrows::new_tuple3] *)
+ new_tuple3_fwd : (u64, i64) struct_with_tuple_t result =
+ Return (<| struct_with_tuple_p := (int_to_u64 1, int_to_i64 2) |>)
+’
+
+Datatype:
+ (** [no_nested_borrows::StructWithPair] *)
+ struct_with_pair_t = <| struct_with_pair_p : ('t1, 't2) pair_t; |>
+End
+
+val new_pair1_fwd_def = Define ‘
+ (** [no_nested_borrows::new_pair1] *)
+ new_pair1_fwd : (u32, u32) struct_with_pair_t result =
+ Return
+ (<|
+ struct_with_pair_p :=
+ (<| pair_x := (int_to_u32 1); pair_y := (int_to_u32 2) |>)
+ |>)
+’
+
+val test_constants_fwd_def = Define ‘
+ (** [no_nested_borrows::test_constants] *)
+ test_constants_fwd : unit result =
+ do
+ swt <- new_tuple1_fwd;
+ let (i, _) = swt.struct_with_tuple_p in
+ if ~ (i = int_to_u32 1)
+ then Fail Failure
+ else (
+ do
+ swt0 <- new_tuple2_fwd;
+ let (i0, _) = swt0.struct_with_tuple_p in
+ if ~ (i0 = int_to_i16 1)
+ then Fail Failure
+ else (
+ do
+ swt1 <- new_tuple3_fwd;
+ let (i1, _) = swt1.struct_with_tuple_p in
+ if ~ (i1 = int_to_u64 1)
+ then Fail Failure
+ else (
+ do
+ swp <- new_pair1_fwd;
+ if ~ (swp.struct_with_pair_p.pair_x = int_to_u32 1)
+ then Fail Failure
+ else Return ()
+ od)
+ od)
+ od)
+ od
+’
+
+(** Unit test for [no_nested_borrows::test_constants] *)
+val _ = assert_return (“test_constants_fwd”)
+
+val test_weird_borrows1_fwd_def = Define ‘
+ (** [no_nested_borrows::test_weird_borrows1] *)
+ test_weird_borrows1_fwd : unit result =
+ Return ()
+’
+
+(** Unit test for [no_nested_borrows::test_weird_borrows1] *)
+val _ = assert_return (“test_weird_borrows1_fwd”)
+
+val test_mem_replace_fwd_back_def = Define ‘
+ (** [no_nested_borrows::test_mem_replace] *)
+ test_mem_replace_fwd_back (px : u32) : u32 result =
+ let y = mem_replace_fwd px (int_to_u32 1) in
+ if ~ (y = int_to_u32 0) then Fail Failure else Return (int_to_u32 2)
+’
+
+val test_shared_borrow_bool1_fwd_def = Define ‘
+ (** [no_nested_borrows::test_shared_borrow_bool1] *)
+ test_shared_borrow_bool1_fwd (b : bool) : u32 result =
+ if b then Return (int_to_u32 0) else Return (int_to_u32 1)
+’
+
+val test_shared_borrow_bool2_fwd_def = Define ‘
+ (** [no_nested_borrows::test_shared_borrow_bool2] *)
+ test_shared_borrow_bool2_fwd : u32 result =
+ Return (int_to_u32 0)
+’
+
+val test_shared_borrow_enum1_fwd_def = Define ‘
+ (** [no_nested_borrows::test_shared_borrow_enum1] *)
+ test_shared_borrow_enum1_fwd (l : u32 list_t) : u32 result =
+ (case l of
+ | ListCons i l0 => Return (int_to_u32 1)
+ | ListNil => Return (int_to_u32 0))
+’
+
+val test_shared_borrow_enum2_fwd_def = Define ‘
+ (** [no_nested_borrows::test_shared_borrow_enum2] *)
+ test_shared_borrow_enum2_fwd : u32 result =
+ Return (int_to_u32 0)
+’
+
+val _ = export_theory ()
diff --git a/tests/hol4/misc-no_nested_borrows/noNestedBorrowsTheory.sig b/tests/hol4/misc-no_nested_borrows/noNestedBorrowsTheory.sig
new file mode 100644
index 00000000..82c842be
--- /dev/null
+++ b/tests/hol4/misc-no_nested_borrows/noNestedBorrowsTheory.sig
@@ -0,0 +1,1596 @@
+signature noNestedBorrowsTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val add_test_fwd_def : thm
+ val cast_test_fwd_def : thm
+ val choose_back_def : thm
+ val choose_fwd_def : thm
+ val choose_test_fwd_def : thm
+ val copy_int_fwd_def : thm
+ val div_test1_fwd_def : thm
+ val div_test_fwd_def : thm
+ val empty_enum_t_BIJ : thm
+ val empty_enum_t_CASE : thm
+ val empty_enum_t_TY_DEF : thm
+ val empty_enum_t_size_def : thm
+ val enum_t_BIJ : thm
+ val enum_t_CASE : thm
+ val enum_t_TY_DEF : thm
+ val enum_t_size_def : thm
+ val get_max_fwd_def : thm
+ val id_mut_pair1_back_def : thm
+ val id_mut_pair1_fwd_def : thm
+ val id_mut_pair2_back_def : thm
+ val id_mut_pair2_fwd_def : thm
+ val id_mut_pair3_back'a_def : thm
+ val id_mut_pair3_back'b_def : thm
+ val id_mut_pair3_fwd_def : thm
+ val id_mut_pair4_back'a_def : thm
+ val id_mut_pair4_back'b_def : thm
+ val id_mut_pair4_fwd_def : thm
+ val is_cons_fwd_def : thm
+ val list_length_fwd_def : thm
+ val list_nth_mut_back_def : thm
+ val list_nth_mut_fwd_def : thm
+ val list_nth_shared_fwd_def : thm
+ val list_rev_aux_fwd_def : thm
+ val list_rev_fwd_back_def : thm
+ val list_t_TY_DEF : thm
+ val list_t_case_def : thm
+ val list_t_size_def : thm
+ val neg_test_fwd_def : thm
+ val new_pair1_fwd_def : thm
+ val new_tuple1_fwd_def : thm
+ val new_tuple2_fwd_def : thm
+ val new_tuple3_fwd_def : thm
+ val node_elem_t_TY_DEF : thm
+ val node_elem_t_case_def : thm
+ val node_elem_t_size_def : thm
+ val one_t_TY_DEF : thm
+ val one_t_case_def : thm
+ val one_t_size_def : thm
+ val pair_t_TY_DEF : thm
+ val pair_t_case_def : thm
+ val pair_t_size_def : thm
+ val recordtype_pair_t_seldef_pair_x_def : thm
+ val recordtype_pair_t_seldef_pair_x_fupd_def : thm
+ val recordtype_pair_t_seldef_pair_y_def : thm
+ val recordtype_pair_t_seldef_pair_y_fupd_def : thm
+ val recordtype_struct_with_pair_t_seldef_struct_with_pair_p_def : thm
+ val recordtype_struct_with_pair_t_seldef_struct_with_pair_p_fupd_def : thm
+ val recordtype_struct_with_tuple_t_seldef_struct_with_tuple_p_def : thm
+ val recordtype_struct_with_tuple_t_seldef_struct_with_tuple_p_fupd_def : thm
+ val refs_test1_fwd_def : thm
+ val refs_test2_fwd_def : thm
+ val rem_test_fwd_def : thm
+ val split_list_fwd_def : thm
+ val struct_with_pair_t_TY_DEF : thm
+ val struct_with_pair_t_case_def : thm
+ val struct_with_pair_t_size_def : thm
+ val struct_with_tuple_t_TY_DEF : thm
+ val struct_with_tuple_t_case_def : thm
+ val struct_with_tuple_t_size_def : thm
+ val subs_test_fwd_def : thm
+ val sum_t_TY_DEF : thm
+ val sum_t_case_def : thm
+ val sum_t_size_def : thm
+ val test2_fwd_def : thm
+ val test3_fwd_def : thm
+ val test_box1_fwd_def : thm
+ val test_char_fwd_def : thm
+ val test_constants_fwd_def : thm
+ val test_copy_int_fwd_def : thm
+ val test_is_cons_fwd_def : thm
+ val test_list1_fwd_def : thm
+ val test_list_functions_fwd_def : thm
+ val test_mem_replace_fwd_back_def : thm
+ val test_neg1_fwd_def : thm
+ val test_panic_fwd_def : thm
+ val test_shared_borrow_bool1_fwd_def : thm
+ val test_shared_borrow_bool2_fwd_def : thm
+ val test_shared_borrow_enum1_fwd_def : thm
+ val test_shared_borrow_enum2_fwd_def : thm
+ val test_split_list_fwd_def : thm
+ val test_unreachable_fwd_def : thm
+ val test_weird_borrows1_fwd_def : thm
+ val tree_t_TY_DEF : thm
+ val tree_t_case_def : thm
+
+ (* Theorems *)
+ val EXISTS_pair_t : thm
+ val EXISTS_struct_with_pair_t : thm
+ val EXISTS_struct_with_tuple_t : thm
+ val FORALL_pair_t : thm
+ val FORALL_struct_with_pair_t : thm
+ val FORALL_struct_with_tuple_t : thm
+ val datatype_empty_enum_t : thm
+ val datatype_enum_t : thm
+ val datatype_list_t : thm
+ val datatype_node_elem_t : thm
+ val datatype_one_t : thm
+ val datatype_pair_t : thm
+ val datatype_struct_with_pair_t : thm
+ val datatype_struct_with_tuple_t : thm
+ val datatype_sum_t : thm
+ val empty_enum_t2num_11 : thm
+ val empty_enum_t2num_ONTO : thm
+ val empty_enum_t2num_num2empty_enum_t : thm
+ val empty_enum_t2num_thm : thm
+ val empty_enum_t_Axiom : thm
+ val empty_enum_t_EQ_empty_enum_t : thm
+ val empty_enum_t_case_cong : thm
+ val empty_enum_t_case_def : thm
+ val empty_enum_t_case_eq : thm
+ val empty_enum_t_induction : thm
+ val empty_enum_t_nchotomy : thm
+ val enum_t2num_11 : thm
+ val enum_t2num_ONTO : thm
+ val enum_t2num_num2enum_t : thm
+ val enum_t2num_thm : thm
+ val enum_t_Axiom : thm
+ val enum_t_EQ_enum_t : thm
+ val enum_t_case_cong : thm
+ val enum_t_case_def : thm
+ val enum_t_case_eq : thm
+ val enum_t_distinct : thm
+ val enum_t_induction : thm
+ val enum_t_nchotomy : thm
+ val list_t_11 : thm
+ val list_t_Axiom : thm
+ val list_t_case_cong : thm
+ val list_t_case_eq : thm
+ val list_t_distinct : thm
+ val list_t_induction : thm
+ val list_t_nchotomy : thm
+ val node_elem_t_11 : thm
+ val node_elem_t_Axiom : thm
+ val node_elem_t_case_cong : thm
+ val node_elem_t_case_eq : thm
+ val node_elem_t_distinct : thm
+ val node_elem_t_induction : thm
+ val node_elem_t_nchotomy : thm
+ val num2empty_enum_t_11 : thm
+ val num2empty_enum_t_ONTO : thm
+ val num2empty_enum_t_empty_enum_t2num : thm
+ val num2empty_enum_t_thm : thm
+ val num2enum_t_11 : thm
+ val num2enum_t_ONTO : thm
+ val num2enum_t_enum_t2num : thm
+ val num2enum_t_thm : thm
+ val one_t_11 : thm
+ val one_t_Axiom : thm
+ val one_t_case_cong : thm
+ val one_t_case_eq : thm
+ val one_t_induction : thm
+ val one_t_nchotomy : thm
+ val pair_t_11 : thm
+ val pair_t_Axiom : thm
+ val pair_t_accessors : thm
+ val pair_t_accfupds : thm
+ val pair_t_case_cong : thm
+ val pair_t_case_eq : thm
+ val pair_t_component_equality : thm
+ val pair_t_fn_updates : thm
+ val pair_t_fupdcanon : thm
+ val pair_t_fupdcanon_comp : thm
+ val pair_t_fupdfupds : thm
+ val pair_t_fupdfupds_comp : thm
+ val pair_t_induction : thm
+ val pair_t_literal_11 : thm
+ val pair_t_literal_nchotomy : thm
+ val pair_t_nchotomy : thm
+ val pair_t_updates_eq_literal : thm
+ val struct_with_pair_t_11 : thm
+ val struct_with_pair_t_Axiom : thm
+ val struct_with_pair_t_accessors : thm
+ val struct_with_pair_t_accfupds : thm
+ val struct_with_pair_t_case_cong : thm
+ val struct_with_pair_t_case_eq : thm
+ val struct_with_pair_t_component_equality : thm
+ val struct_with_pair_t_fn_updates : thm
+ val struct_with_pair_t_fupdfupds : thm
+ val struct_with_pair_t_fupdfupds_comp : thm
+ val struct_with_pair_t_induction : thm
+ val struct_with_pair_t_literal_11 : thm
+ val struct_with_pair_t_literal_nchotomy : thm
+ val struct_with_pair_t_nchotomy : thm
+ val struct_with_pair_t_updates_eq_literal : thm
+ val struct_with_tuple_t_11 : thm
+ val struct_with_tuple_t_Axiom : thm
+ val struct_with_tuple_t_accessors : thm
+ val struct_with_tuple_t_accfupds : thm
+ val struct_with_tuple_t_case_cong : thm
+ val struct_with_tuple_t_case_eq : thm
+ val struct_with_tuple_t_component_equality : thm
+ val struct_with_tuple_t_fn_updates : thm
+ val struct_with_tuple_t_fupdfupds : thm
+ val struct_with_tuple_t_fupdfupds_comp : thm
+ val struct_with_tuple_t_induction : thm
+ val struct_with_tuple_t_literal_11 : thm
+ val struct_with_tuple_t_literal_nchotomy : thm
+ val struct_with_tuple_t_nchotomy : thm
+ val struct_with_tuple_t_updates_eq_literal : thm
+ val sum_t_11 : thm
+ val sum_t_Axiom : thm
+ val sum_t_case_cong : thm
+ val sum_t_case_eq : thm
+ val sum_t_distinct : thm
+ val sum_t_induction : thm
+ val sum_t_nchotomy : thm
+ val tree_t_11 : thm
+ val tree_t_Axiom : thm
+ val tree_t_case_cong : thm
+ val tree_t_case_eq : thm
+ val tree_t_distinct : thm
+ val tree_t_induction : thm
+ val tree_t_nchotomy : thm
+
+ val noNestedBorrows_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [divDef] Parent theory of "noNestedBorrows"
+
+ [add_test_fwd_def] Definition
+
+ ⊢ ∀x y. add_test_fwd x y = u32_add x y
+
+ [cast_test_fwd_def] Definition
+
+ ⊢ ∀x. cast_test_fwd x = mk_i32 (u32_to_int x)
+
+ [choose_back_def] Definition
+
+ ⊢ ∀b x y ret.
+ choose_back b x y ret =
+ if b then Return (ret,y) else Return (x,ret)
+
+ [choose_fwd_def] Definition
+
+ ⊢ ∀b x y. choose_fwd b x y = if b then Return x else Return y
+
+ [choose_test_fwd_def] Definition
+
+ ⊢ choose_test_fwd =
+ do
+ z <- choose_fwd T (int_to_i32 0) (int_to_i32 0);
+ z0 <- i32_add z (int_to_i32 1);
+ if z0 ≠ int_to_i32 1 then Fail Failure
+ else
+ do
+ (x,y) <- choose_back T (int_to_i32 0) (int_to_i32 0) z0;
+ if x ≠ int_to_i32 1 then Fail Failure
+ else if y ≠ int_to_i32 0 then Fail Failure
+ else Return ()
+ od
+ od
+
+ [copy_int_fwd_def] Definition
+
+ ⊢ ∀x. copy_int_fwd x = Return x
+
+ [div_test1_fwd_def] Definition
+
+ ⊢ ∀x. div_test1_fwd x = u32_div x (int_to_u32 2)
+
+ [div_test_fwd_def] Definition
+
+ ⊢ ∀x y. div_test_fwd x y = u32_div x y
+
+ [empty_enum_t_BIJ] Definition
+
+ ⊢ (∀a. num2empty_enum_t (empty_enum_t2num a) = a) ∧
+ ∀r. (λn. n < 1) r ⇔ empty_enum_t2num (num2empty_enum_t r) = r
+
+ [empty_enum_t_CASE] Definition
+
+ ⊢ ∀x v0.
+ (case x of EmptyEnumEmpty => v0) = (λm. v0) (empty_enum_t2num x)
+
+ [empty_enum_t_TY_DEF] Definition
+
+ ⊢ ∃rep. TYPE_DEFINITION (λn. n < 1) rep
+
+ [empty_enum_t_size_def] Definition
+
+ ⊢ ∀x. empty_enum_t_size x = 0
+
+ [enum_t_BIJ] Definition
+
+ ⊢ (∀a. num2enum_t (enum_t2num a) = a) ∧
+ ∀r. (λn. n < 2) r ⇔ enum_t2num (num2enum_t r) = r
+
+ [enum_t_CASE] Definition
+
+ ⊢ ∀x v0 v1.
+ (case x of EnumVariant1 => v0 | EnumVariant2 => v1) =
+ (λm. if m = 0 then v0 else v1) (enum_t2num x)
+
+ [enum_t_TY_DEF] Definition
+
+ ⊢ ∃rep. TYPE_DEFINITION (λn. n < 2) rep
+
+ [enum_t_size_def] Definition
+
+ ⊢ ∀x. enum_t_size x = 0
+
+ [get_max_fwd_def] Definition
+
+ ⊢ ∀x y. get_max_fwd x y = if u32_ge x y then Return x else Return y
+
+ [id_mut_pair1_back_def] Definition
+
+ ⊢ ∀x y ret.
+ id_mut_pair1_back x y ret = (let (t,t0) = ret in Return (t,t0))
+
+ [id_mut_pair1_fwd_def] Definition
+
+ ⊢ ∀x y. id_mut_pair1_fwd x y = Return (x,y)
+
+ [id_mut_pair2_back_def] Definition
+
+ ⊢ ∀p ret.
+ id_mut_pair2_back p ret = (let (t,t0) = ret in Return (t,t0))
+
+ [id_mut_pair2_fwd_def] Definition
+
+ ⊢ ∀p. id_mut_pair2_fwd p = (let (t,t0) = p in Return (t,t0))
+
+ [id_mut_pair3_back'a_def] Definition
+
+ ⊢ ∀x y ret. id_mut_pair3_back'a x y ret = Return ret
+
+ [id_mut_pair3_back'b_def] Definition
+
+ ⊢ ∀x y ret. id_mut_pair3_back'b x y ret = Return ret
+
+ [id_mut_pair3_fwd_def] Definition
+
+ ⊢ ∀x y. id_mut_pair3_fwd x y = Return (x,y)
+
+ [id_mut_pair4_back'a_def] Definition
+
+ ⊢ ∀p ret. id_mut_pair4_back'a p ret = Return ret
+
+ [id_mut_pair4_back'b_def] Definition
+
+ ⊢ ∀p ret. id_mut_pair4_back'b p ret = Return ret
+
+ [id_mut_pair4_fwd_def] Definition
+
+ ⊢ ∀p. id_mut_pair4_fwd p = (let (t,t0) = p in Return (t,t0))
+
+ [is_cons_fwd_def] Definition
+
+ ⊢ ∀l. is_cons_fwd l =
+ case l of ListCons t l0 => Return T | ListNil => Return F
+
+ [list_length_fwd_def] Definition
+
+ ⊢ ∀l. list_length_fwd l =
+ case l of
+ ListCons t l1 =>
+ do i <- list_length_fwd l1; u32_add (int_to_u32 1) i od
+ | ListNil => Return (int_to_u32 0)
+
+ [list_nth_mut_back_def] Definition
+
+ ⊢ ∀l i ret.
+ list_nth_mut_back l i ret =
+ case l of
+ ListCons x tl =>
+ if i = int_to_u32 0 then Return (ListCons ret tl)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl0 <- list_nth_mut_back tl i0 ret;
+ Return (ListCons x tl0)
+ od
+ | ListNil => Fail Failure
+
+ [list_nth_mut_fwd_def] Definition
+
+ ⊢ ∀l i.
+ list_nth_mut_fwd l i =
+ case l of
+ ListCons x tl =>
+ if i = int_to_u32 0 then Return x
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_fwd tl i0
+ od
+ | ListNil => Fail Failure
+
+ [list_nth_shared_fwd_def] Definition
+
+ ⊢ ∀l i.
+ list_nth_shared_fwd l i =
+ case l of
+ ListCons x tl =>
+ if i = int_to_u32 0 then Return x
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_shared_fwd tl i0
+ od
+ | ListNil => Fail Failure
+
+ [list_rev_aux_fwd_def] Definition
+
+ ⊢ ∀li lo.
+ list_rev_aux_fwd li lo =
+ case li of
+ ListCons hd tl => list_rev_aux_fwd tl (ListCons hd lo)
+ | ListNil => Return lo
+
+ [list_rev_fwd_back_def] Definition
+
+ ⊢ ∀l. list_rev_fwd_back l =
+ (let
+ li = mem_replace_fwd l ListNil
+ in
+ list_rev_aux_fwd li ListNil)
+
+ [list_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('list_t').
+ (∀a0'.
+ (∃a0 a1.
+ a0' =
+ (λa0 a1.
+ ind_type$CONSTR 0 a0
+ (ind_type$FCONS a1 (λn. ind_type$BOTTOM)))
+ a0 a1 ∧ $var$('list_t') a1) ∨
+ a0' =
+ ind_type$CONSTR (SUC 0) ARB (λn. ind_type$BOTTOM) ⇒
+ $var$('list_t') a0') ⇒
+ $var$('list_t') a0') rep
+
+ [list_t_case_def] Definition
+
+ ⊢ (∀a0 a1 f v. list_t_CASE (ListCons a0 a1) f v = f a0 a1) ∧
+ ∀f v. list_t_CASE ListNil f v = v
+
+ [list_t_size_def] Definition
+
+ ⊢ (∀f a0 a1.
+ list_t_size f (ListCons a0 a1) = 1 + (f a0 + list_t_size f a1)) ∧
+ ∀f. list_t_size f ListNil = 0
+
+ [neg_test_fwd_def] Definition
+
+ ⊢ ∀x. neg_test_fwd x = i32_neg x
+
+ [new_pair1_fwd_def] Definition
+
+ ⊢ new_pair1_fwd =
+ Return
+ <|struct_with_pair_p :=
+ <|pair_x := int_to_u32 1; pair_y := int_to_u32 2|> |>
+
+ [new_tuple1_fwd_def] Definition
+
+ ⊢ new_tuple1_fwd =
+ Return <|struct_with_tuple_p := (int_to_u32 1,int_to_u32 2)|>
+
+ [new_tuple2_fwd_def] Definition
+
+ ⊢ new_tuple2_fwd =
+ Return <|struct_with_tuple_p := (int_to_i16 1,int_to_i16 2)|>
+
+ [new_tuple3_fwd_def] Definition
+
+ ⊢ new_tuple3_fwd =
+ Return <|struct_with_tuple_p := (int_to_u64 1,int_to_i64 2)|>
+
+ [node_elem_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('node_elem_t') $var$('tree_t').
+ (∀a0'.
+ (∃a0 a1.
+ a0' =
+ (λa0 a1.
+ ind_type$CONSTR 0 ARB
+ (ind_type$FCONS a0
+ (ind_type$FCONS a1 (λn. ind_type$BOTTOM))))
+ a0 a1 ∧ $var$('tree_t') a0 ∧
+ $var$('node_elem_t') a1) ∨
+ a0' =
+ ind_type$CONSTR (SUC 0) ARB (λn. ind_type$BOTTOM) ⇒
+ $var$('node_elem_t') a0') ∧
+ (∀a1'.
+ (∃a. a1' =
+ (λa.
+ ind_type$CONSTR (SUC (SUC 0)) a
+ (λn. ind_type$BOTTOM)) a) ∨
+ (∃a0 a1 a2.
+ a1' =
+ (λa0 a1 a2.
+ ind_type$CONSTR (SUC (SUC (SUC 0))) a0
+ (ind_type$FCONS a1
+ (ind_type$FCONS a2 (λn. ind_type$BOTTOM))))
+ a0 a1 a2 ∧ $var$('node_elem_t') a1 ∧
+ $var$('tree_t') a2) ⇒
+ $var$('tree_t') a1') ⇒
+ $var$('node_elem_t') a0') rep
+
+ [node_elem_t_case_def] Definition
+
+ ⊢ (∀a0 a1 f v. node_elem_t_CASE (NodeElemCons a0 a1) f v = f a0 a1) ∧
+ ∀f v. node_elem_t_CASE NodeElemNil f v = v
+
+ [node_elem_t_size_def] Definition
+
+ ⊢ (∀f a0 a1.
+ node_elem_t_size f (NodeElemCons a0 a1) =
+ 1 + (tree_t_size f a0 + node_elem_t_size f a1)) ∧
+ (∀f. node_elem_t_size f NodeElemNil = 0) ∧
+ (∀f a. tree_t_size f (TreeLeaf a) = 1 + f a) ∧
+ ∀f a0 a1 a2.
+ tree_t_size f (TreeNode a0 a1 a2) =
+ 1 + (f a0 + (node_elem_t_size f a1 + tree_t_size f a2))
+
+ [one_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0.
+ ∀ $var$('one_t').
+ (∀a0.
+ (∃a. a0 =
+ (λa. ind_type$CONSTR 0 a (λn. ind_type$BOTTOM))
+ a) ⇒
+ $var$('one_t') a0) ⇒
+ $var$('one_t') a0) rep
+
+ [one_t_case_def] Definition
+
+ ⊢ ∀a f. one_t_CASE (OneOne a) f = f a
+
+ [one_t_size_def] Definition
+
+ ⊢ ∀f a. one_t_size f (OneOne a) = 1 + f a
+
+ [pair_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('pair_t').
+ (∀a0'.
+ (∃a0 a1.
+ a0' =
+ (λa0 a1.
+ ind_type$CONSTR 0 (a0,a1)
+ (λn. ind_type$BOTTOM)) a0 a1) ⇒
+ $var$('pair_t') a0') ⇒
+ $var$('pair_t') a0') rep
+
+ [pair_t_case_def] Definition
+
+ ⊢ ∀a0 a1 f. pair_t_CASE (pair_t a0 a1) f = f a0 a1
+
+ [pair_t_size_def] Definition
+
+ ⊢ ∀f f1 a0 a1. pair_t_size f f1 (pair_t a0 a1) = 1 + (f a0 + f1 a1)
+
+ [recordtype_pair_t_seldef_pair_x_def] Definition
+
+ ⊢ ∀t t0. (pair_t t t0).pair_x = t
+
+ [recordtype_pair_t_seldef_pair_x_fupd_def] Definition
+
+ ⊢ ∀f t t0. pair_t t t0 with pair_x updated_by f = pair_t (f t) t0
+
+ [recordtype_pair_t_seldef_pair_y_def] Definition
+
+ ⊢ ∀t t0. (pair_t t t0).pair_y = t0
+
+ [recordtype_pair_t_seldef_pair_y_fupd_def] Definition
+
+ ⊢ ∀f t t0. pair_t t t0 with pair_y updated_by f = pair_t t (f t0)
+
+ [recordtype_struct_with_pair_t_seldef_struct_with_pair_p_def] Definition
+
+ ⊢ ∀p. (struct_with_pair_t p).struct_with_pair_p = p
+
+ [recordtype_struct_with_pair_t_seldef_struct_with_pair_p_fupd_def] Definition
+
+ ⊢ ∀f p.
+ struct_with_pair_t p with struct_with_pair_p updated_by f =
+ struct_with_pair_t (f p)
+
+ [recordtype_struct_with_tuple_t_seldef_struct_with_tuple_p_def] Definition
+
+ ⊢ ∀p. (struct_with_tuple_t p).struct_with_tuple_p = p
+
+ [recordtype_struct_with_tuple_t_seldef_struct_with_tuple_p_fupd_def] Definition
+
+ ⊢ ∀f p.
+ struct_with_tuple_t p with struct_with_tuple_p updated_by f =
+ struct_with_tuple_t (f p)
+
+ [refs_test1_fwd_def] Definition
+
+ ⊢ refs_test1_fwd =
+ if int_to_i32 1 ≠ int_to_i32 1 then Fail Failure else Return ()
+
+ [refs_test2_fwd_def] Definition
+
+ ⊢ refs_test2_fwd =
+ if int_to_i32 2 ≠ int_to_i32 2 then Fail Failure
+ else if int_to_i32 0 ≠ int_to_i32 0 then Fail Failure
+ else if int_to_i32 2 ≠ int_to_i32 2 then Fail Failure
+ else if int_to_i32 2 ≠ int_to_i32 2 then Fail Failure
+ else Return ()
+
+ [rem_test_fwd_def] Definition
+
+ ⊢ ∀x y. rem_test_fwd x y = u32_rem x y
+
+ [split_list_fwd_def] Definition
+
+ ⊢ ∀l. split_list_fwd l =
+ case l of
+ ListCons hd tl => Return (hd,tl)
+ | ListNil => Fail Failure
+
+ [struct_with_pair_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0.
+ ∀ $var$('struct_with_pair_t').
+ (∀a0.
+ (∃a. a0 =
+ (λa. ind_type$CONSTR 0 a (λn. ind_type$BOTTOM))
+ a) ⇒
+ $var$('struct_with_pair_t') a0) ⇒
+ $var$('struct_with_pair_t') a0) rep
+
+ [struct_with_pair_t_case_def] Definition
+
+ ⊢ ∀a f. struct_with_pair_t_CASE (struct_with_pair_t a) f = f a
+
+ [struct_with_pair_t_size_def] Definition
+
+ ⊢ ∀f f1 a.
+ struct_with_pair_t_size f f1 (struct_with_pair_t a) =
+ 1 + pair_t_size f f1 a
+
+ [struct_with_tuple_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0.
+ ∀ $var$('struct_with_tuple_t').
+ (∀a0.
+ (∃a. a0 =
+ (λa. ind_type$CONSTR 0 a (λn. ind_type$BOTTOM))
+ a) ⇒
+ $var$('struct_with_tuple_t') a0) ⇒
+ $var$('struct_with_tuple_t') a0) rep
+
+ [struct_with_tuple_t_case_def] Definition
+
+ ⊢ ∀a f. struct_with_tuple_t_CASE (struct_with_tuple_t a) f = f a
+
+ [struct_with_tuple_t_size_def] Definition
+
+ ⊢ ∀f f1 a.
+ struct_with_tuple_t_size f f1 (struct_with_tuple_t a) =
+ 1 + pair_size f f1 a
+
+ [subs_test_fwd_def] Definition
+
+ ⊢ ∀x y. subs_test_fwd x y = u32_sub x y
+
+ [sum_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0.
+ ∀ $var$('sum_t').
+ (∀a0.
+ (∃a. a0 =
+ (λa.
+ ind_type$CONSTR 0 (a,ARB)
+ (λn. ind_type$BOTTOM)) a) ∨
+ (∃a. a0 =
+ (λa.
+ ind_type$CONSTR (SUC 0) (ARB,a)
+ (λn. ind_type$BOTTOM)) a) ⇒
+ $var$('sum_t') a0) ⇒
+ $var$('sum_t') a0) rep
+
+ [sum_t_case_def] Definition
+
+ ⊢ (∀a f f1. sum_t_CASE (SumLeft a) f f1 = f a) ∧
+ ∀a f f1. sum_t_CASE (SumRight a) f f1 = f1 a
+
+ [sum_t_size_def] Definition
+
+ ⊢ (∀f f1 a. sum_t_size f f1 (SumLeft a) = 1 + f a) ∧
+ ∀f f1 a. sum_t_size f f1 (SumRight a) = 1 + f1 a
+
+ [test2_fwd_def] Definition
+
+ ⊢ test2_fwd =
+ monad_ignore_bind (u32_add (int_to_u32 23) (int_to_u32 44))
+ (Return ())
+
+ [test3_fwd_def] Definition
+
+ ⊢ test3_fwd =
+ do
+ x <- get_max_fwd (int_to_u32 4) (int_to_u32 3);
+ y <- get_max_fwd (int_to_u32 10) (int_to_u32 11);
+ z <- u32_add x y;
+ if z ≠ int_to_u32 15 then Fail Failure else Return ()
+ od
+
+ [test_box1_fwd_def] Definition
+
+ ⊢ test_box1_fwd =
+ (let
+ b = int_to_i32 1;
+ x = b
+ in
+ if x ≠ int_to_i32 1 then Fail Failure else Return ())
+
+ [test_char_fwd_def] Definition
+
+ ⊢ test_char_fwd = Return #"a"
+
+ [test_constants_fwd_def] Definition
+
+ ⊢ test_constants_fwd =
+ do
+ swt <- new_tuple1_fwd;
+ (i,_) <<- swt.struct_with_tuple_p;
+ if i ≠ int_to_u32 1 then Fail Failure
+ else
+ do
+ swt0 <- new_tuple2_fwd;
+ (i0,_) <<- swt0.struct_with_tuple_p;
+ if i0 ≠ int_to_i16 1 then Fail Failure
+ else
+ do
+ swt1 <- new_tuple3_fwd;
+ (i1,_) <<- swt1.struct_with_tuple_p;
+ if i1 ≠ int_to_u64 1 then Fail Failure
+ else
+ do
+ swp <- new_pair1_fwd;
+ if swp.struct_with_pair_p.pair_x ≠ int_to_u32 1 then
+ Fail Failure
+ else Return ()
+ od
+ od
+ od
+ od
+
+ [test_copy_int_fwd_def] Definition
+
+ ⊢ test_copy_int_fwd =
+ do
+ y <- copy_int_fwd (int_to_i32 0);
+ if int_to_i32 0 ≠ y then Fail Failure else Return ()
+ od
+
+ [test_is_cons_fwd_def] Definition
+
+ ⊢ test_is_cons_fwd =
+ (let
+ l = ListNil
+ in
+ do
+ b <- is_cons_fwd (ListCons (int_to_i32 0) l);
+ if ¬b then Fail Failure else Return ()
+ od)
+
+ [test_list1_fwd_def] Definition
+
+ ⊢ test_list1_fwd = Return ()
+
+ [test_list_functions_fwd_def] Definition
+
+ ⊢ test_list_functions_fwd =
+ (let
+ l = ListNil;
+ l0 = ListCons (int_to_i32 2) l;
+ l1 = ListCons (int_to_i32 1) l0
+ in
+ do
+ i <- list_length_fwd (ListCons (int_to_i32 0) l1);
+ if i ≠ int_to_u32 3 then Fail Failure
+ else
+ do
+ i0 <-
+ list_nth_shared_fwd (ListCons (int_to_i32 0) l1)
+ (int_to_u32 0);
+ if i0 ≠ int_to_i32 0 then Fail Failure
+ else
+ do
+ i1 <-
+ list_nth_shared_fwd (ListCons (int_to_i32 0) l1)
+ (int_to_u32 1);
+ if i1 ≠ int_to_i32 1 then Fail Failure
+ else
+ do
+ i2 <-
+ list_nth_shared_fwd (ListCons (int_to_i32 0) l1)
+ (int_to_u32 2);
+ if i2 ≠ int_to_i32 2 then Fail Failure
+ else
+ do
+ ls <-
+ list_nth_mut_back
+ (ListCons (int_to_i32 0) l1)
+ (int_to_u32 1) (int_to_i32 3);
+ i3 <- list_nth_shared_fwd ls (int_to_u32 0);
+ if i3 ≠ int_to_i32 0 then Fail Failure
+ else
+ do
+ i4 <-
+ list_nth_shared_fwd ls (int_to_u32 1);
+ if i4 ≠ int_to_i32 3 then Fail Failure
+ else
+ do
+ i5 <-
+ list_nth_shared_fwd ls
+ (int_to_u32 2);
+ if i5 ≠ int_to_i32 2 then Fail Failure
+ else Return ()
+ od
+ od
+ od
+ od
+ od
+ od
+ od)
+
+ [test_mem_replace_fwd_back_def] Definition
+
+ ⊢ ∀px.
+ test_mem_replace_fwd_back px =
+ (let
+ y = mem_replace_fwd px (int_to_u32 1)
+ in
+ if y ≠ int_to_u32 0 then Fail Failure
+ else Return (int_to_u32 2))
+
+ [test_neg1_fwd_def] Definition
+
+ ⊢ test_neg1_fwd =
+ do
+ y <- i32_neg (int_to_i32 3);
+ if y ≠ int_to_i32 (-3) then Fail Failure else Return ()
+ od
+
+ [test_panic_fwd_def] Definition
+
+ ⊢ ∀b. test_panic_fwd b = if b then Fail Failure else Return ()
+
+ [test_shared_borrow_bool1_fwd_def] Definition
+
+ ⊢ ∀b. test_shared_borrow_bool1_fwd b =
+ if b then Return (int_to_u32 0) else Return (int_to_u32 1)
+
+ [test_shared_borrow_bool2_fwd_def] Definition
+
+ ⊢ test_shared_borrow_bool2_fwd = Return (int_to_u32 0)
+
+ [test_shared_borrow_enum1_fwd_def] Definition
+
+ ⊢ ∀l. test_shared_borrow_enum1_fwd l =
+ case l of
+ ListCons i l0 => Return (int_to_u32 1)
+ | ListNil => Return (int_to_u32 0)
+
+ [test_shared_borrow_enum2_fwd_def] Definition
+
+ ⊢ test_shared_borrow_enum2_fwd = Return (int_to_u32 0)
+
+ [test_split_list_fwd_def] Definition
+
+ ⊢ test_split_list_fwd =
+ (let
+ l = ListNil
+ in
+ do
+ p <- split_list_fwd (ListCons (int_to_i32 0) l);
+ (hd,_) <<- p;
+ if hd ≠ int_to_i32 0 then Fail Failure else Return ()
+ od)
+
+ [test_unreachable_fwd_def] Definition
+
+ ⊢ ∀b. test_unreachable_fwd b = if b then Fail Failure else Return ()
+
+ [test_weird_borrows1_fwd_def] Definition
+
+ ⊢ test_weird_borrows1_fwd = Return ()
+
+ [tree_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa1'.
+ ∀ $var$('node_elem_t') $var$('tree_t').
+ (∀a0'.
+ (∃a0 a1.
+ a0' =
+ (λa0 a1.
+ ind_type$CONSTR 0 ARB
+ (ind_type$FCONS a0
+ (ind_type$FCONS a1 (λn. ind_type$BOTTOM))))
+ a0 a1 ∧ $var$('tree_t') a0 ∧
+ $var$('node_elem_t') a1) ∨
+ a0' =
+ ind_type$CONSTR (SUC 0) ARB (λn. ind_type$BOTTOM) ⇒
+ $var$('node_elem_t') a0') ∧
+ (∀a1'.
+ (∃a. a1' =
+ (λa.
+ ind_type$CONSTR (SUC (SUC 0)) a
+ (λn. ind_type$BOTTOM)) a) ∨
+ (∃a0 a1 a2.
+ a1' =
+ (λa0 a1 a2.
+ ind_type$CONSTR (SUC (SUC (SUC 0))) a0
+ (ind_type$FCONS a1
+ (ind_type$FCONS a2 (λn. ind_type$BOTTOM))))
+ a0 a1 a2 ∧ $var$('node_elem_t') a1 ∧
+ $var$('tree_t') a2) ⇒
+ $var$('tree_t') a1') ⇒
+ $var$('tree_t') a1') rep
+
+ [tree_t_case_def] Definition
+
+ ⊢ (∀a f f1. tree_t_CASE (TreeLeaf a) f f1 = f a) ∧
+ ∀a0 a1 a2 f f1. tree_t_CASE (TreeNode a0 a1 a2) f f1 = f1 a0 a1 a2
+
+ [EXISTS_pair_t] Theorem
+
+ ⊢ ∀P. (∃p. P p) ⇔ ∃t0 t. P <|pair_x := t0; pair_y := t|>
+
+ [EXISTS_struct_with_pair_t] Theorem
+
+ ⊢ ∀P. (∃s. P s) ⇔ ∃p. P <|struct_with_pair_p := p|>
+
+ [EXISTS_struct_with_tuple_t] Theorem
+
+ ⊢ ∀P. (∃s. P s) ⇔ ∃p. P <|struct_with_tuple_p := p|>
+
+ [FORALL_pair_t] Theorem
+
+ ⊢ ∀P. (∀p. P p) ⇔ ∀t0 t. P <|pair_x := t0; pair_y := t|>
+
+ [FORALL_struct_with_pair_t] Theorem
+
+ ⊢ ∀P. (∀s. P s) ⇔ ∀p. P <|struct_with_pair_p := p|>
+
+ [FORALL_struct_with_tuple_t] Theorem
+
+ ⊢ ∀P. (∀s. P s) ⇔ ∀p. P <|struct_with_tuple_p := p|>
+
+ [datatype_empty_enum_t] Theorem
+
+ ⊢ DATATYPE (empty_enum_t EmptyEnumEmpty)
+
+ [datatype_enum_t] Theorem
+
+ ⊢ DATATYPE (enum_t EnumVariant1 EnumVariant2)
+
+ [datatype_list_t] Theorem
+
+ ⊢ DATATYPE (list_t ListCons ListNil)
+
+ [datatype_node_elem_t] Theorem
+
+ ⊢ DATATYPE
+ (node_elem_t NodeElemCons NodeElemNil ∧ tree_t TreeLeaf TreeNode)
+
+ [datatype_one_t] Theorem
+
+ ⊢ DATATYPE (one_t OneOne)
+
+ [datatype_pair_t] Theorem
+
+ ⊢ DATATYPE (record pair_t pair_x pair_y)
+
+ [datatype_struct_with_pair_t] Theorem
+
+ ⊢ DATATYPE (record struct_with_pair_t struct_with_pair_p)
+
+ [datatype_struct_with_tuple_t] Theorem
+
+ ⊢ DATATYPE (record struct_with_tuple_t struct_with_tuple_p)
+
+ [datatype_sum_t] Theorem
+
+ ⊢ DATATYPE (sum_t SumLeft SumRight)
+
+ [empty_enum_t2num_11] Theorem
+
+ ⊢ ∀a a'. empty_enum_t2num a = empty_enum_t2num a' ⇔ a = a'
+
+ [empty_enum_t2num_ONTO] Theorem
+
+ ⊢ ∀r. r < 1 ⇔ ∃a. r = empty_enum_t2num a
+
+ [empty_enum_t2num_num2empty_enum_t] Theorem
+
+ ⊢ ∀r. r < 1 ⇔ empty_enum_t2num (num2empty_enum_t r) = r
+
+ [empty_enum_t2num_thm] Theorem
+
+ ⊢ empty_enum_t2num EmptyEnumEmpty = 0
+
+ [empty_enum_t_Axiom] Theorem
+
+ ⊢ ∀x0. ∃f. f EmptyEnumEmpty = x0
+
+ [empty_enum_t_EQ_empty_enum_t] Theorem
+
+ ⊢ ∀a a'. a = a' ⇔ empty_enum_t2num a = empty_enum_t2num a'
+
+ [empty_enum_t_case_cong] Theorem
+
+ ⊢ ∀M M' v0.
+ M = M' ∧ (M' = EmptyEnumEmpty ⇒ v0 = v0') ⇒
+ (case M of EmptyEnumEmpty => v0) =
+ case M' of EmptyEnumEmpty => v0'
+
+ [empty_enum_t_case_def] Theorem
+
+ ⊢ ∀v0. (case EmptyEnumEmpty of EmptyEnumEmpty => v0) = v0
+
+ [empty_enum_t_case_eq] Theorem
+
+ ⊢ (case x of EmptyEnumEmpty => v0) = v ⇔ x = EmptyEnumEmpty ∧ v0 = v
+
+ [empty_enum_t_induction] Theorem
+
+ ⊢ ∀P. P EmptyEnumEmpty ⇒ ∀a. P a
+
+ [empty_enum_t_nchotomy] Theorem
+
+ ⊢ ∀a. a = EmptyEnumEmpty
+
+ [enum_t2num_11] Theorem
+
+ ⊢ ∀a a'. enum_t2num a = enum_t2num a' ⇔ a = a'
+
+ [enum_t2num_ONTO] Theorem
+
+ ⊢ ∀r. r < 2 ⇔ ∃a. r = enum_t2num a
+
+ [enum_t2num_num2enum_t] Theorem
+
+ ⊢ ∀r. r < 2 ⇔ enum_t2num (num2enum_t r) = r
+
+ [enum_t2num_thm] Theorem
+
+ ⊢ enum_t2num EnumVariant1 = 0 ∧ enum_t2num EnumVariant2 = 1
+
+ [enum_t_Axiom] Theorem
+
+ ⊢ ∀x0 x1. ∃f. f EnumVariant1 = x0 ∧ f EnumVariant2 = x1
+
+ [enum_t_EQ_enum_t] Theorem
+
+ ⊢ ∀a a'. a = a' ⇔ enum_t2num a = enum_t2num a'
+
+ [enum_t_case_cong] Theorem
+
+ ⊢ ∀M M' v0 v1.
+ M = M' ∧ (M' = EnumVariant1 ⇒ v0 = v0') ∧
+ (M' = EnumVariant2 ⇒ v1 = v1') ⇒
+ (case M of EnumVariant1 => v0 | EnumVariant2 => v1) =
+ case M' of EnumVariant1 => v0' | EnumVariant2 => v1'
+
+ [enum_t_case_def] Theorem
+
+ ⊢ (∀v0 v1.
+ (case EnumVariant1 of EnumVariant1 => v0 | EnumVariant2 => v1) =
+ v0) ∧
+ ∀v0 v1.
+ (case EnumVariant2 of EnumVariant1 => v0 | EnumVariant2 => v1) =
+ v1
+
+ [enum_t_case_eq] Theorem
+
+ ⊢ (case x of EnumVariant1 => v0 | EnumVariant2 => v1) = v ⇔
+ x = EnumVariant1 ∧ v0 = v ∨ x = EnumVariant2 ∧ v1 = v
+
+ [enum_t_distinct] Theorem
+
+ ⊢ EnumVariant1 ≠ EnumVariant2
+
+ [enum_t_induction] Theorem
+
+ ⊢ ∀P. P EnumVariant1 ∧ P EnumVariant2 ⇒ ∀a. P a
+
+ [enum_t_nchotomy] Theorem
+
+ ⊢ ∀a. a = EnumVariant1 ∨ a = EnumVariant2
+
+ [list_t_11] Theorem
+
+ ⊢ ∀a0 a1 a0' a1'.
+ ListCons a0 a1 = ListCons a0' a1' ⇔ a0 = a0' ∧ a1 = a1'
+
+ [list_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1. ∃fn.
+ (∀a0 a1. fn (ListCons a0 a1) = f0 a0 a1 (fn a1)) ∧
+ fn ListNil = f1
+
+ [list_t_case_cong] Theorem
+
+ ⊢ ∀M M' f v.
+ M = M' ∧ (∀a0 a1. M' = ListCons a0 a1 ⇒ f a0 a1 = f' a0 a1) ∧
+ (M' = ListNil ⇒ v = v') ⇒
+ list_t_CASE M f v = list_t_CASE M' f' v'
+
+ [list_t_case_eq] Theorem
+
+ ⊢ list_t_CASE x f v = v' ⇔
+ (∃t l. x = ListCons t l ∧ f t l = v') ∨ x = ListNil ∧ v = v'
+
+ [list_t_distinct] Theorem
+
+ ⊢ ∀a1 a0. ListCons a0 a1 ≠ ListNil
+
+ [list_t_induction] Theorem
+
+ ⊢ ∀P. (∀l. P l ⇒ ∀t. P (ListCons t l)) ∧ P ListNil ⇒ ∀l. P l
+
+ [list_t_nchotomy] Theorem
+
+ ⊢ ∀ll. (∃t l. ll = ListCons t l) ∨ ll = ListNil
+
+ [node_elem_t_11] Theorem
+
+ ⊢ ∀a0 a1 a0' a1'.
+ NodeElemCons a0 a1 = NodeElemCons a0' a1' ⇔ a0 = a0' ∧ a1 = a1'
+
+ [node_elem_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1 f2 f3. ∃fn0 fn1.
+ (∀a0 a1. fn0 (NodeElemCons a0 a1) = f0 a0 a1 (fn1 a0) (fn0 a1)) ∧
+ fn0 NodeElemNil = f1 ∧ (∀a. fn1 (TreeLeaf a) = f2 a) ∧
+ ∀a0 a1 a2.
+ fn1 (TreeNode a0 a1 a2) = f3 a0 a1 a2 (fn0 a1) (fn1 a2)
+
+ [node_elem_t_case_cong] Theorem
+
+ ⊢ ∀M M' f v.
+ M = M' ∧ (∀a0 a1. M' = NodeElemCons a0 a1 ⇒ f a0 a1 = f' a0 a1) ∧
+ (M' = NodeElemNil ⇒ v = v') ⇒
+ node_elem_t_CASE M f v = node_elem_t_CASE M' f' v'
+
+ [node_elem_t_case_eq] Theorem
+
+ ⊢ node_elem_t_CASE x f v = v' ⇔
+ (∃t n. x = NodeElemCons t n ∧ f t n = v') ∨
+ x = NodeElemNil ∧ v = v'
+
+ [node_elem_t_distinct] Theorem
+
+ ⊢ ∀a1 a0. NodeElemCons a0 a1 ≠ NodeElemNil
+
+ [node_elem_t_induction] Theorem
+
+ ⊢ ∀P0 P1.
+ (∀t n. P1 t ∧ P0 n ⇒ P0 (NodeElemCons t n)) ∧ P0 NodeElemNil ∧
+ (∀t. P1 (TreeLeaf t)) ∧
+ (∀n t. P0 n ∧ P1 t ⇒ ∀t0. P1 (TreeNode t0 n t)) ⇒
+ (∀n. P0 n) ∧ ∀t. P1 t
+
+ [node_elem_t_nchotomy] Theorem
+
+ ⊢ ∀nn. (∃t n. nn = NodeElemCons t n) ∨ nn = NodeElemNil
+
+ [num2empty_enum_t_11] Theorem
+
+ ⊢ ∀r r'.
+ r < 1 ⇒
+ r' < 1 ⇒
+ (num2empty_enum_t r = num2empty_enum_t r' ⇔ r = r')
+
+ [num2empty_enum_t_ONTO] Theorem
+
+ ⊢ ∀a. ∃r. a = num2empty_enum_t r ∧ r < 1
+
+ [num2empty_enum_t_empty_enum_t2num] Theorem
+
+ ⊢ ∀a. num2empty_enum_t (empty_enum_t2num a) = a
+
+ [num2empty_enum_t_thm] Theorem
+
+ ⊢ num2empty_enum_t 0 = EmptyEnumEmpty
+
+ [num2enum_t_11] Theorem
+
+ ⊢ ∀r r'. r < 2 ⇒ r' < 2 ⇒ (num2enum_t r = num2enum_t r' ⇔ r = r')
+
+ [num2enum_t_ONTO] Theorem
+
+ ⊢ ∀a. ∃r. a = num2enum_t r ∧ r < 2
+
+ [num2enum_t_enum_t2num] Theorem
+
+ ⊢ ∀a. num2enum_t (enum_t2num a) = a
+
+ [num2enum_t_thm] Theorem
+
+ ⊢ num2enum_t 0 = EnumVariant1 ∧ num2enum_t 1 = EnumVariant2
+
+ [one_t_11] Theorem
+
+ ⊢ ∀a a'. OneOne a = OneOne a' ⇔ a = a'
+
+ [one_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a. fn (OneOne a) = f a
+
+ [one_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧ (∀a. M' = OneOne a ⇒ f a = f' a) ⇒
+ one_t_CASE M f = one_t_CASE M' f'
+
+ [one_t_case_eq] Theorem
+
+ ⊢ one_t_CASE x f = v ⇔ ∃t. x = OneOne t ∧ f t = v
+
+ [one_t_induction] Theorem
+
+ ⊢ ∀P. (∀t. P (OneOne t)) ⇒ ∀ $o. P $o
+
+ [one_t_nchotomy] Theorem
+
+ ⊢ ∀oo. ∃t. oo = OneOne t
+
+ [pair_t_11] Theorem
+
+ ⊢ ∀a0 a1 a0' a1'. pair_t a0 a1 = pair_t a0' a1' ⇔ a0 = a0' ∧ a1 = a1'
+
+ [pair_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a0 a1. fn (pair_t a0 a1) = f a0 a1
+
+ [pair_t_accessors] Theorem
+
+ ⊢ (∀t t0. (pair_t t t0).pair_x = t) ∧
+ ∀t t0. (pair_t t t0).pair_y = t0
+
+ [pair_t_accfupds] Theorem
+
+ ⊢ (∀p f. (p with pair_y updated_by f).pair_x = p.pair_x) ∧
+ (∀p f. (p with pair_x updated_by f).pair_y = p.pair_y) ∧
+ (∀p f. (p with pair_x updated_by f).pair_x = f p.pair_x) ∧
+ ∀p f. (p with pair_y updated_by f).pair_y = f p.pair_y
+
+ [pair_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧ (∀a0 a1. M' = pair_t a0 a1 ⇒ f a0 a1 = f' a0 a1) ⇒
+ pair_t_CASE M f = pair_t_CASE M' f'
+
+ [pair_t_case_eq] Theorem
+
+ ⊢ pair_t_CASE x f = v ⇔ ∃t t0. x = pair_t t t0 ∧ f t t0 = v
+
+ [pair_t_component_equality] Theorem
+
+ ⊢ ∀p1 p2. p1 = p2 ⇔ p1.pair_x = p2.pair_x ∧ p1.pair_y = p2.pair_y
+
+ [pair_t_fn_updates] Theorem
+
+ ⊢ (∀f t t0. pair_t t t0 with pair_x updated_by f = pair_t (f t) t0) ∧
+ ∀f t t0. pair_t t t0 with pair_y updated_by f = pair_t t (f t0)
+
+ [pair_t_fupdcanon] Theorem
+
+ ⊢ ∀p g f.
+ p with <|pair_y updated_by f; pair_x updated_by g|> =
+ p with <|pair_x updated_by g; pair_y updated_by f|>
+
+ [pair_t_fupdcanon_comp] Theorem
+
+ ⊢ (∀g f.
+ pair_y_fupd f ∘ pair_x_fupd g = pair_x_fupd g ∘ pair_y_fupd f) ∧
+ ∀h g f.
+ pair_y_fupd f ∘ pair_x_fupd g ∘ h =
+ pair_x_fupd g ∘ pair_y_fupd f ∘ h
+
+ [pair_t_fupdfupds] Theorem
+
+ ⊢ (∀p g f.
+ p with <|pair_x updated_by f; pair_x updated_by g|> =
+ p with pair_x updated_by f ∘ g) ∧
+ ∀p g f.
+ p with <|pair_y updated_by f; pair_y updated_by g|> =
+ p with pair_y updated_by f ∘ g
+
+ [pair_t_fupdfupds_comp] Theorem
+
+ ⊢ ((∀g f. pair_x_fupd f ∘ pair_x_fupd g = pair_x_fupd (f ∘ g)) ∧
+ ∀h g f.
+ pair_x_fupd f ∘ pair_x_fupd g ∘ h = pair_x_fupd (f ∘ g) ∘ h) ∧
+ (∀g f. pair_y_fupd f ∘ pair_y_fupd g = pair_y_fupd (f ∘ g)) ∧
+ ∀h g f. pair_y_fupd f ∘ pair_y_fupd g ∘ h = pair_y_fupd (f ∘ g) ∘ h
+
+ [pair_t_induction] Theorem
+
+ ⊢ ∀P. (∀t t0. P (pair_t t t0)) ⇒ ∀p. P p
+
+ [pair_t_literal_11] Theorem
+
+ ⊢ ∀t01 t1 t02 t2.
+ <|pair_x := t01; pair_y := t1|> = <|pair_x := t02; pair_y := t2|> ⇔
+ t01 = t02 ∧ t1 = t2
+
+ [pair_t_literal_nchotomy] Theorem
+
+ ⊢ ∀p. ∃t0 t. p = <|pair_x := t0; pair_y := t|>
+
+ [pair_t_nchotomy] Theorem
+
+ ⊢ ∀pp. ∃t t0. pp = pair_t t t0
+
+ [pair_t_updates_eq_literal] Theorem
+
+ ⊢ ∀p t0 t.
+ p with <|pair_x := t0; pair_y := t|> =
+ <|pair_x := t0; pair_y := t|>
+
+ [struct_with_pair_t_11] Theorem
+
+ ⊢ ∀a a'. struct_with_pair_t a = struct_with_pair_t a' ⇔ a = a'
+
+ [struct_with_pair_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a. fn (struct_with_pair_t a) = f a
+
+ [struct_with_pair_t_accessors] Theorem
+
+ ⊢ ∀p. (struct_with_pair_t p).struct_with_pair_p = p
+
+ [struct_with_pair_t_accfupds] Theorem
+
+ ⊢ ∀s f.
+ (s with struct_with_pair_p updated_by f).struct_with_pair_p =
+ f s.struct_with_pair_p
+
+ [struct_with_pair_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧ (∀a. M' = struct_with_pair_t a ⇒ f a = f' a) ⇒
+ struct_with_pair_t_CASE M f = struct_with_pair_t_CASE M' f'
+
+ [struct_with_pair_t_case_eq] Theorem
+
+ ⊢ struct_with_pair_t_CASE x f = v ⇔
+ ∃p. x = struct_with_pair_t p ∧ f p = v
+
+ [struct_with_pair_t_component_equality] Theorem
+
+ ⊢ ∀s1 s2. s1 = s2 ⇔ s1.struct_with_pair_p = s2.struct_with_pair_p
+
+ [struct_with_pair_t_fn_updates] Theorem
+
+ ⊢ ∀f p.
+ struct_with_pair_t p with struct_with_pair_p updated_by f =
+ struct_with_pair_t (f p)
+
+ [struct_with_pair_t_fupdfupds] Theorem
+
+ ⊢ ∀s g f.
+ s with
+ <|struct_with_pair_p updated_by f;
+ struct_with_pair_p updated_by g|> =
+ s with struct_with_pair_p updated_by f ∘ g
+
+ [struct_with_pair_t_fupdfupds_comp] Theorem
+
+ ⊢ (∀g f.
+ struct_with_pair_p_fupd f ∘ struct_with_pair_p_fupd g =
+ struct_with_pair_p_fupd (f ∘ g)) ∧
+ ∀h g f.
+ struct_with_pair_p_fupd f ∘ struct_with_pair_p_fupd g ∘ h =
+ struct_with_pair_p_fupd (f ∘ g) ∘ h
+
+ [struct_with_pair_t_induction] Theorem
+
+ ⊢ ∀P. (∀p. P (struct_with_pair_t p)) ⇒ ∀s. P s
+
+ [struct_with_pair_t_literal_11] Theorem
+
+ ⊢ ∀p1 p2.
+ <|struct_with_pair_p := p1|> = <|struct_with_pair_p := p2|> ⇔
+ p1 = p2
+
+ [struct_with_pair_t_literal_nchotomy] Theorem
+
+ ⊢ ∀s. ∃p. s = <|struct_with_pair_p := p|>
+
+ [struct_with_pair_t_nchotomy] Theorem
+
+ ⊢ ∀ss. ∃p. ss = struct_with_pair_t p
+
+ [struct_with_pair_t_updates_eq_literal] Theorem
+
+ ⊢ ∀s p. s with struct_with_pair_p := p = <|struct_with_pair_p := p|>
+
+ [struct_with_tuple_t_11] Theorem
+
+ ⊢ ∀a a'. struct_with_tuple_t a = struct_with_tuple_t a' ⇔ a = a'
+
+ [struct_with_tuple_t_Axiom] Theorem
+
+ ⊢ ∀f. ∃fn. ∀a. fn (struct_with_tuple_t a) = f a
+
+ [struct_with_tuple_t_accessors] Theorem
+
+ ⊢ ∀p. (struct_with_tuple_t p).struct_with_tuple_p = p
+
+ [struct_with_tuple_t_accfupds] Theorem
+
+ ⊢ ∀s f.
+ (s with struct_with_tuple_p updated_by f).struct_with_tuple_p =
+ f s.struct_with_tuple_p
+
+ [struct_with_tuple_t_case_cong] Theorem
+
+ ⊢ ∀M M' f.
+ M = M' ∧ (∀a. M' = struct_with_tuple_t a ⇒ f a = f' a) ⇒
+ struct_with_tuple_t_CASE M f = struct_with_tuple_t_CASE M' f'
+
+ [struct_with_tuple_t_case_eq] Theorem
+
+ ⊢ struct_with_tuple_t_CASE x f = v ⇔
+ ∃p. x = struct_with_tuple_t p ∧ f p = v
+
+ [struct_with_tuple_t_component_equality] Theorem
+
+ ⊢ ∀s1 s2. s1 = s2 ⇔ s1.struct_with_tuple_p = s2.struct_with_tuple_p
+
+ [struct_with_tuple_t_fn_updates] Theorem
+
+ ⊢ ∀f p.
+ struct_with_tuple_t p with struct_with_tuple_p updated_by f =
+ struct_with_tuple_t (f p)
+
+ [struct_with_tuple_t_fupdfupds] Theorem
+
+ ⊢ ∀s g f.
+ s with
+ <|struct_with_tuple_p updated_by f;
+ struct_with_tuple_p updated_by g|> =
+ s with struct_with_tuple_p updated_by f ∘ g
+
+ [struct_with_tuple_t_fupdfupds_comp] Theorem
+
+ ⊢ (∀g f.
+ struct_with_tuple_p_fupd f ∘ struct_with_tuple_p_fupd g =
+ struct_with_tuple_p_fupd (f ∘ g)) ∧
+ ∀h g f.
+ struct_with_tuple_p_fupd f ∘ struct_with_tuple_p_fupd g ∘ h =
+ struct_with_tuple_p_fupd (f ∘ g) ∘ h
+
+ [struct_with_tuple_t_induction] Theorem
+
+ ⊢ ∀P. (∀p. P (struct_with_tuple_t p)) ⇒ ∀s. P s
+
+ [struct_with_tuple_t_literal_11] Theorem
+
+ ⊢ ∀p1 p2.
+ <|struct_with_tuple_p := p1|> = <|struct_with_tuple_p := p2|> ⇔
+ p1 = p2
+
+ [struct_with_tuple_t_literal_nchotomy] Theorem
+
+ ⊢ ∀s. ∃p. s = <|struct_with_tuple_p := p|>
+
+ [struct_with_tuple_t_nchotomy] Theorem
+
+ ⊢ ∀ss. ∃p. ss = struct_with_tuple_t p
+
+ [struct_with_tuple_t_updates_eq_literal] Theorem
+
+ ⊢ ∀s p.
+ s with struct_with_tuple_p := p = <|struct_with_tuple_p := p|>
+
+ [sum_t_11] Theorem
+
+ ⊢ (∀a a'. SumLeft a = SumLeft a' ⇔ a = a') ∧
+ ∀a a'. SumRight a = SumRight a' ⇔ a = a'
+
+ [sum_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1. ∃fn.
+ (∀a. fn (SumLeft a) = f0 a) ∧ ∀a. fn (SumRight a) = f1 a
+
+ [sum_t_case_cong] Theorem
+
+ ⊢ ∀M M' f f1.
+ M = M' ∧ (∀a. M' = SumLeft a ⇒ f a = f' a) ∧
+ (∀a. M' = SumRight a ⇒ f1 a = f1' a) ⇒
+ sum_t_CASE M f f1 = sum_t_CASE M' f' f1'
+
+ [sum_t_case_eq] Theorem
+
+ ⊢ sum_t_CASE x f f1 = v ⇔
+ (∃t. x = SumLeft t ∧ f t = v) ∨ ∃t. x = SumRight t ∧ f1 t = v
+
+ [sum_t_distinct] Theorem
+
+ ⊢ ∀a' a. SumLeft a ≠ SumRight a'
+
+ [sum_t_induction] Theorem
+
+ ⊢ ∀P. (∀t. P (SumLeft t)) ∧ (∀t. P (SumRight t)) ⇒ ∀s. P s
+
+ [sum_t_nchotomy] Theorem
+
+ ⊢ ∀ss. (∃t. ss = SumLeft t) ∨ ∃t. ss = SumRight t
+
+ [tree_t_11] Theorem
+
+ ⊢ (∀a a'. TreeLeaf a = TreeLeaf a' ⇔ a = a') ∧
+ ∀a0 a1 a2 a0' a1' a2'.
+ TreeNode a0 a1 a2 = TreeNode a0' a1' a2' ⇔
+ a0 = a0' ∧ a1 = a1' ∧ a2 = a2'
+
+ [tree_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1 f2 f3. ∃fn0 fn1.
+ (∀a0 a1. fn0 (NodeElemCons a0 a1) = f0 a0 a1 (fn1 a0) (fn0 a1)) ∧
+ fn0 NodeElemNil = f1 ∧ (∀a. fn1 (TreeLeaf a) = f2 a) ∧
+ ∀a0 a1 a2.
+ fn1 (TreeNode a0 a1 a2) = f3 a0 a1 a2 (fn0 a1) (fn1 a2)
+
+ [tree_t_case_cong] Theorem
+
+ ⊢ ∀M M' f f1.
+ M = M' ∧ (∀a. M' = TreeLeaf a ⇒ f a = f' a) ∧
+ (∀a0 a1 a2. M' = TreeNode a0 a1 a2 ⇒ f1 a0 a1 a2 = f1' a0 a1 a2) ⇒
+ tree_t_CASE M f f1 = tree_t_CASE M' f' f1'
+
+ [tree_t_case_eq] Theorem
+
+ ⊢ tree_t_CASE x f f1 = v ⇔
+ (∃t. x = TreeLeaf t ∧ f t = v) ∨
+ ∃t0 n t. x = TreeNode t0 n t ∧ f1 t0 n t = v
+
+ [tree_t_distinct] Theorem
+
+ ⊢ ∀a2 a1 a0 a. TreeLeaf a ≠ TreeNode a0 a1 a2
+
+ [tree_t_induction] Theorem
+
+ ⊢ ∀P0 P1.
+ (∀t n. P1 t ∧ P0 n ⇒ P0 (NodeElemCons t n)) ∧ P0 NodeElemNil ∧
+ (∀t. P1 (TreeLeaf t)) ∧
+ (∀n t. P0 n ∧ P1 t ⇒ ∀t0. P1 (TreeNode t0 n t)) ⇒
+ (∀n. P0 n) ∧ ∀t. P1 t
+
+ [tree_t_nchotomy] Theorem
+
+ ⊢ ∀tt. (∃t. tt = TreeLeaf t) ∨ ∃t0 n t. tt = TreeNode t0 n t
+
+
+*)
+end
diff --git a/tests/hol4/misc-paper/Holmakefile b/tests/hol4/misc-paper/Holmakefile
new file mode 100644
index 00000000..3c4b8973
--- /dev/null
+++ b/tests/hol4/misc-paper/Holmakefile
@@ -0,0 +1,5 @@
+# This file was automatically generated - modify ../Holmakefile.template instead
+INCLUDES = ../../../backends/hol4
+
+all: $(DEFAULT_TARGETS)
+.PHONY: all
diff --git a/tests/hol4/misc-paper/paperScript.sml b/tests/hol4/misc-paper/paperScript.sml
new file mode 100644
index 00000000..4d6e99ba
--- /dev/null
+++ b/tests/hol4/misc-paper/paperScript.sml
@@ -0,0 +1,135 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [paper] *)
+open primitivesLib divDefLib
+
+val _ = new_theory "paper"
+
+
+val ref_incr_fwd_back_def = Define ‘
+ (** [paper::ref_incr] *)
+ ref_incr_fwd_back (x : i32) : i32 result =
+ i32_add x (int_to_i32 1)
+’
+
+val test_incr_fwd_def = Define ‘
+ (** [paper::test_incr] *)
+ test_incr_fwd : unit result =
+ do
+ x <- ref_incr_fwd_back (int_to_i32 0);
+ if ~ (x = int_to_i32 1) then Fail Failure else Return ()
+ od
+’
+
+(** Unit test for [paper::test_incr] *)
+val _ = assert_return (“test_incr_fwd”)
+
+val choose_fwd_def = Define ‘
+ (** [paper::choose] *)
+ choose_fwd (b : bool) (x : 't) (y : 't) : 't result =
+ if b then Return x else Return y
+’
+
+val choose_back_def = Define ‘
+ (** [paper::choose] *)
+ choose_back (b : bool) (x : 't) (y : 't) (ret : 't) : ('t # 't) result =
+ if b then Return (ret, y) else Return (x, ret)
+’
+
+val test_choose_fwd_def = Define ‘
+ (** [paper::test_choose] *)
+ test_choose_fwd : unit result =
+ do
+ z <- choose_fwd T (int_to_i32 0) (int_to_i32 0);
+ z0 <- i32_add z (int_to_i32 1);
+ if ~ (z0 = int_to_i32 1)
+ then Fail Failure
+ else (
+ do
+ (x, y) <- choose_back T (int_to_i32 0) (int_to_i32 0) z0;
+ if ~ (x = int_to_i32 1)
+ then Fail Failure
+ else if ~ (y = int_to_i32 0) then Fail Failure else Return ()
+ od)
+ od
+’
+
+(** Unit test for [paper::test_choose] *)
+val _ = assert_return (“test_choose_fwd”)
+
+Datatype:
+ (** [paper::List] *)
+ list_t = | ListCons 't list_t | ListNil
+End
+
+val [list_nth_mut_fwd_def] = DefineDiv ‘
+ (** [paper::list_nth_mut] *)
+ list_nth_mut_fwd (l : 't list_t) (i : u32) : 't result =
+ (case l of
+ | ListCons x tl =>
+ if i = int_to_u32 0
+ then Return x
+ else (do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_fwd tl i0
+ od)
+ | ListNil => Fail Failure)
+’
+
+val [list_nth_mut_back_def] = DefineDiv ‘
+ (** [paper::list_nth_mut] *)
+ list_nth_mut_back (l : 't list_t) (i : u32) (ret : 't) : 't list_t result =
+ (case l of
+ | ListCons x tl =>
+ if i = int_to_u32 0
+ then Return (ListCons ret tl)
+ else (
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl0 <- list_nth_mut_back tl i0 ret;
+ Return (ListCons x tl0)
+ od)
+ | ListNil => Fail Failure)
+’
+
+val [sum_fwd_def] = DefineDiv ‘
+ (** [paper::sum] *)
+ sum_fwd (l : i32 list_t) : i32 result =
+ (case l of
+ | ListCons x tl => do
+ i <- sum_fwd tl;
+ i32_add x i
+ od
+ | ListNil => Return (int_to_i32 0))
+’
+
+val test_nth_fwd_def = Define ‘
+ (** [paper::test_nth] *)
+ test_nth_fwd : unit result =
+ let l = ListNil in
+ let l0 = ListCons (int_to_i32 3) l in
+ let l1 = ListCons (int_to_i32 2) l0 in
+ do
+ x <- list_nth_mut_fwd (ListCons (int_to_i32 1) l1) (int_to_u32 2);
+ x0 <- i32_add x (int_to_i32 1);
+ l2 <- list_nth_mut_back (ListCons (int_to_i32 1) l1) (int_to_u32 2) x0;
+ i <- sum_fwd l2;
+ if ~ (i = int_to_i32 7) then Fail Failure else Return ()
+ od
+’
+
+(** Unit test for [paper::test_nth] *)
+val _ = assert_return (“test_nth_fwd”)
+
+val call_choose_fwd_def = Define ‘
+ (** [paper::call_choose] *)
+ call_choose_fwd (p : (u32 # u32)) : u32 result =
+ let (px, py) = p in
+ do
+ pz <- choose_fwd T px py;
+ pz0 <- u32_add pz (int_to_u32 1);
+ (px0, _) <- choose_back T px py pz0;
+ Return px0
+ od
+’
+
+val _ = export_theory ()
diff --git a/tests/hol4/misc-paper/paperTheory.sig b/tests/hol4/misc-paper/paperTheory.sig
new file mode 100644
index 00000000..2da80da1
--- /dev/null
+++ b/tests/hol4/misc-paper/paperTheory.sig
@@ -0,0 +1,210 @@
+signature paperTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val call_choose_fwd_def : thm
+ val choose_back_def : thm
+ val choose_fwd_def : thm
+ val list_nth_mut_back_def : thm
+ val list_nth_mut_fwd_def : thm
+ val list_t_TY_DEF : thm
+ val list_t_case_def : thm
+ val list_t_size_def : thm
+ val ref_incr_fwd_back_def : thm
+ val sum_fwd_def : thm
+ val test_choose_fwd_def : thm
+ val test_incr_fwd_def : thm
+ val test_nth_fwd_def : thm
+
+ (* Theorems *)
+ val datatype_list_t : thm
+ val list_t_11 : thm
+ val list_t_Axiom : thm
+ val list_t_case_cong : thm
+ val list_t_case_eq : thm
+ val list_t_distinct : thm
+ val list_t_induction : thm
+ val list_t_nchotomy : thm
+
+ val paper_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [divDef] Parent theory of "paper"
+
+ [call_choose_fwd_def] Definition
+
+ ⊢ ∀p. call_choose_fwd p =
+ (let
+ (px,py) = p
+ in
+ do
+ pz <- choose_fwd T px py;
+ pz0 <- u32_add pz (int_to_u32 1);
+ (px0,_) <- choose_back T px py pz0;
+ Return px0
+ od)
+
+ [choose_back_def] Definition
+
+ ⊢ ∀b x y ret.
+ choose_back b x y ret =
+ if b then Return (ret,y) else Return (x,ret)
+
+ [choose_fwd_def] Definition
+
+ ⊢ ∀b x y. choose_fwd b x y = if b then Return x else Return y
+
+ [list_nth_mut_back_def] Definition
+
+ ⊢ ∀l i ret.
+ list_nth_mut_back l i ret =
+ case l of
+ ListCons x tl =>
+ if i = int_to_u32 0 then Return (ListCons ret tl)
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ tl0 <- list_nth_mut_back tl i0 ret;
+ Return (ListCons x tl0)
+ od
+ | ListNil => Fail Failure
+
+ [list_nth_mut_fwd_def] Definition
+
+ ⊢ ∀l i.
+ list_nth_mut_fwd l i =
+ case l of
+ ListCons x tl =>
+ if i = int_to_u32 0 then Return x
+ else
+ do
+ i0 <- u32_sub i (int_to_u32 1);
+ list_nth_mut_fwd tl i0
+ od
+ | ListNil => Fail Failure
+
+ [list_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('list_t').
+ (∀a0'.
+ (∃a0 a1.
+ a0' =
+ (λa0 a1.
+ ind_type$CONSTR 0 a0
+ (ind_type$FCONS a1 (λn. ind_type$BOTTOM)))
+ a0 a1 ∧ $var$('list_t') a1) ∨
+ a0' =
+ ind_type$CONSTR (SUC 0) ARB (λn. ind_type$BOTTOM) ⇒
+ $var$('list_t') a0') ⇒
+ $var$('list_t') a0') rep
+
+ [list_t_case_def] Definition
+
+ ⊢ (∀a0 a1 f v. list_t_CASE (ListCons a0 a1) f v = f a0 a1) ∧
+ ∀f v. list_t_CASE ListNil f v = v
+
+ [list_t_size_def] Definition
+
+ ⊢ (∀f a0 a1.
+ list_t_size f (ListCons a0 a1) = 1 + (f a0 + list_t_size f a1)) ∧
+ ∀f. list_t_size f ListNil = 0
+
+ [ref_incr_fwd_back_def] Definition
+
+ ⊢ ∀x. ref_incr_fwd_back x = i32_add x (int_to_i32 1)
+
+ [sum_fwd_def] Definition
+
+ ⊢ ∀l. sum_fwd l =
+ case l of
+ ListCons x tl => do i <- sum_fwd tl; i32_add x i od
+ | ListNil => Return (int_to_i32 0)
+
+ [test_choose_fwd_def] Definition
+
+ ⊢ test_choose_fwd =
+ do
+ z <- choose_fwd T (int_to_i32 0) (int_to_i32 0);
+ z0 <- i32_add z (int_to_i32 1);
+ if z0 ≠ int_to_i32 1 then Fail Failure
+ else
+ do
+ (x,y) <- choose_back T (int_to_i32 0) (int_to_i32 0) z0;
+ if x ≠ int_to_i32 1 then Fail Failure
+ else if y ≠ int_to_i32 0 then Fail Failure
+ else Return ()
+ od
+ od
+
+ [test_incr_fwd_def] Definition
+
+ ⊢ test_incr_fwd =
+ do
+ x <- ref_incr_fwd_back (int_to_i32 0);
+ if x ≠ int_to_i32 1 then Fail Failure else Return ()
+ od
+
+ [test_nth_fwd_def] Definition
+
+ ⊢ test_nth_fwd =
+ (let
+ l = ListNil;
+ l0 = ListCons (int_to_i32 3) l;
+ l1 = ListCons (int_to_i32 2) l0
+ in
+ do
+ x <-
+ list_nth_mut_fwd (ListCons (int_to_i32 1) l1) (int_to_u32 2);
+ x0 <- i32_add x (int_to_i32 1);
+ l2 <-
+ list_nth_mut_back (ListCons (int_to_i32 1) l1)
+ (int_to_u32 2) x0;
+ i <- sum_fwd l2;
+ if i ≠ int_to_i32 7 then Fail Failure else Return ()
+ od)
+
+ [datatype_list_t] Theorem
+
+ ⊢ DATATYPE (list_t ListCons ListNil)
+
+ [list_t_11] Theorem
+
+ ⊢ ∀a0 a1 a0' a1'.
+ ListCons a0 a1 = ListCons a0' a1' ⇔ a0 = a0' ∧ a1 = a1'
+
+ [list_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1. ∃fn.
+ (∀a0 a1. fn (ListCons a0 a1) = f0 a0 a1 (fn a1)) ∧
+ fn ListNil = f1
+
+ [list_t_case_cong] Theorem
+
+ ⊢ ∀M M' f v.
+ M = M' ∧ (∀a0 a1. M' = ListCons a0 a1 ⇒ f a0 a1 = f' a0 a1) ∧
+ (M' = ListNil ⇒ v = v') ⇒
+ list_t_CASE M f v = list_t_CASE M' f' v'
+
+ [list_t_case_eq] Theorem
+
+ ⊢ list_t_CASE x f v = v' ⇔
+ (∃t l. x = ListCons t l ∧ f t l = v') ∨ x = ListNil ∧ v = v'
+
+ [list_t_distinct] Theorem
+
+ ⊢ ∀a1 a0. ListCons a0 a1 ≠ ListNil
+
+ [list_t_induction] Theorem
+
+ ⊢ ∀P. (∀l. P l ⇒ ∀t. P (ListCons t l)) ∧ P ListNil ⇒ ∀l. P l
+
+ [list_t_nchotomy] Theorem
+
+ ⊢ ∀ll. (∃t l. ll = ListCons t l) ∨ ll = ListNil
+
+
+*)
+end
diff --git a/tests/hol4/misc-polonius_list/Holmakefile b/tests/hol4/misc-polonius_list/Holmakefile
new file mode 100644
index 00000000..3c4b8973
--- /dev/null
+++ b/tests/hol4/misc-polonius_list/Holmakefile
@@ -0,0 +1,5 @@
+# This file was automatically generated - modify ../Holmakefile.template instead
+INCLUDES = ../../../backends/hol4
+
+all: $(DEFAULT_TARGETS)
+.PHONY: all
diff --git a/tests/hol4/misc-polonius_list/poloniusListScript.sml b/tests/hol4/misc-polonius_list/poloniusListScript.sml
new file mode 100644
index 00000000..dd631169
--- /dev/null
+++ b/tests/hol4/misc-polonius_list/poloniusListScript.sml
@@ -0,0 +1,37 @@
+(** THIS FILE WAS AUTOMATICALLY GENERATED BY AENEAS *)
+(** [polonius_list] *)
+open primitivesLib divDefLib
+
+val _ = new_theory "poloniusList"
+
+
+Datatype:
+ (** [polonius_list::List] *)
+ list_t = | ListCons 't list_t | ListNil
+End
+
+val [get_list_at_x_fwd_def] = DefineDiv ‘
+ (** [polonius_list::get_list_at_x] *)
+ get_list_at_x_fwd (ls : u32 list_t) (x : u32) : u32 list_t result =
+ (case ls of
+ | ListCons hd tl =>
+ if hd = x then Return (ListCons hd tl) else get_list_at_x_fwd tl x
+ | ListNil => Return ListNil)
+’
+
+val [get_list_at_x_back_def] = DefineDiv ‘
+ (** [polonius_list::get_list_at_x] *)
+ get_list_at_x_back
+ (ls : u32 list_t) (x : u32) (ret : u32 list_t) : u32 list_t result =
+ (case ls of
+ | ListCons hd tl =>
+ if hd = x
+ then Return ret
+ else (do
+ tl0 <- get_list_at_x_back tl x ret;
+ Return (ListCons hd tl0)
+ od)
+ | ListNil => Return ret)
+’
+
+val _ = export_theory ()
diff --git a/tests/hol4/misc-polonius_list/poloniusListTheory.sig b/tests/hol4/misc-polonius_list/poloniusListTheory.sig
new file mode 100644
index 00000000..41f21df7
--- /dev/null
+++ b/tests/hol4/misc-polonius_list/poloniusListTheory.sig
@@ -0,0 +1,120 @@
+signature poloniusListTheory =
+sig
+ type thm = Thm.thm
+
+ (* Definitions *)
+ val get_list_at_x_back_def : thm
+ val get_list_at_x_fwd_def : thm
+ val list_t_TY_DEF : thm
+ val list_t_case_def : thm
+ val list_t_size_def : thm
+
+ (* Theorems *)
+ val datatype_list_t : thm
+ val list_t_11 : thm
+ val list_t_Axiom : thm
+ val list_t_case_cong : thm
+ val list_t_case_eq : thm
+ val list_t_distinct : thm
+ val list_t_induction : thm
+ val list_t_nchotomy : thm
+
+ val poloniusList_grammars : type_grammar.grammar * term_grammar.grammar
+(*
+ [divDef] Parent theory of "poloniusList"
+
+ [get_list_at_x_back_def] Definition
+
+ ⊢ ∀ls x ret.
+ get_list_at_x_back ls x ret =
+ case ls of
+ ListCons hd tl =>
+ if hd = x then Return ret
+ else
+ do
+ tl0 <- get_list_at_x_back tl x ret;
+ Return (ListCons hd tl0)
+ od
+ | ListNil => Return ret
+
+ [get_list_at_x_fwd_def] Definition
+
+ ⊢ ∀ls x.
+ get_list_at_x_fwd ls x =
+ case ls of
+ ListCons hd tl =>
+ if hd = x then Return (ListCons hd tl)
+ else get_list_at_x_fwd tl x
+ | ListNil => Return ListNil
+
+ [list_t_TY_DEF] Definition
+
+ ⊢ ∃rep.
+ TYPE_DEFINITION
+ (λa0'.
+ ∀ $var$('list_t').
+ (∀a0'.
+ (∃a0 a1.
+ a0' =
+ (λa0 a1.
+ ind_type$CONSTR 0 a0
+ (ind_type$FCONS a1 (λn. ind_type$BOTTOM)))
+ a0 a1 ∧ $var$('list_t') a1) ∨
+ a0' =
+ ind_type$CONSTR (SUC 0) ARB (λn. ind_type$BOTTOM) ⇒
+ $var$('list_t') a0') ⇒
+ $var$('list_t') a0') rep
+
+ [list_t_case_def] Definition
+
+ ⊢ (∀a0 a1 f v. list_t_CASE (ListCons a0 a1) f v = f a0 a1) ∧
+ ∀f v. list_t_CASE ListNil f v = v
+
+ [list_t_size_def] Definition
+
+ ⊢ (∀f a0 a1.
+ list_t_size f (ListCons a0 a1) = 1 + (f a0 + list_t_size f a1)) ∧
+ ∀f. list_t_size f ListNil = 0
+
+ [datatype_list_t] Theorem
+
+ ⊢ DATATYPE (list_t ListCons ListNil)
+
+ [list_t_11] Theorem
+
+ ⊢ ∀a0 a1 a0' a1'.
+ ListCons a0 a1 = ListCons a0' a1' ⇔ a0 = a0' ∧ a1 = a1'
+
+ [list_t_Axiom] Theorem
+
+ ⊢ ∀f0 f1. ∃fn.
+ (∀a0 a1. fn (ListCons a0 a1) = f0 a0 a1 (fn a1)) ∧
+ fn ListNil = f1
+
+ [list_t_case_cong] Theorem
+
+ ⊢ ∀M M' f v.
+ M = M' ∧ (∀a0 a1. M' = ListCons a0 a1 ⇒ f a0 a1 = f' a0 a1) ∧
+ (M' = ListNil ⇒ v = v') ⇒
+ list_t_CASE M f v = list_t_CASE M' f' v'
+
+ [list_t_case_eq] Theorem
+
+ ⊢ list_t_CASE x f v = v' ⇔
+ (∃t l. x = ListCons t l ∧ f t l = v') ∨ x = ListNil ∧ v = v'
+
+ [list_t_distinct] Theorem
+
+ ⊢ ∀a1 a0. ListCons a0 a1 ≠ ListNil
+
+ [list_t_induction] Theorem
+
+ ⊢ ∀P. (∀l. P l ⇒ ∀t. P (ListCons t l)) ∧ P ListNil ⇒ ∀l. P l
+
+ [list_t_nchotomy] Theorem
+
+ ⊢ ∀ll. (∃t l. ll = ListCons t l) ∨ ll = ListNil
+
+
+*)
+end