signature primitivesTheory = sig type thm = Thm.thm (* Axioms *) val i128_to_int_bounds : thm val i128_to_int_int_to_i128 : thm val i16_to_int_bounds : thm val i16_to_int_int_to_i16 : thm val i32_to_int_bounds : thm val i32_to_int_int_to_i32 : thm val i64_to_int_bounds : thm val i64_to_int_int_to_i64 : thm val i8_to_int_bounds : thm val i8_to_int_int_to_i8 : thm val int_to_i128_i128_to_int : thm val int_to_i16_i16_to_int : thm val int_to_i32_i32_to_int : thm val int_to_i64_i64_to_int : thm val int_to_i8_i8_to_int : thm val int_to_isize_isize_to_int : thm val int_to_u128_u128_to_int : thm val int_to_u16_u16_to_int : thm val int_to_u32_u32_to_int : thm val int_to_u64_u64_to_int : thm val int_to_u8_u8_to_int : thm val int_to_usize_usize_to_int : thm val isize_bounds : thm val isize_to_int_bounds : thm val isize_to_int_int_to_isize : thm val mk_vec_axiom : thm val u128_to_int_bounds : thm val u128_to_int_int_to_u128 : thm val u16_to_int_bounds : thm val u16_to_int_int_to_u16 : thm val u32_to_int_bounds : thm val u32_to_int_int_to_u32 : thm val u64_to_int_bounds : thm val u64_to_int_int_to_u64 : thm val u8_to_int_bounds : thm val u8_to_int_int_to_u8 : thm val usize_bounds : thm val usize_to_int_bounds : thm val usize_to_int_int_to_usize : thm val vec_to_list_num_bounds : thm (* Definitions *) val bind_def : thm val core_i128_max_def : thm val core_i128_min_def : thm val core_i16_max_def : thm val core_i16_min_def : thm val core_i32_max_def : thm val core_i32_min_def : thm val core_i64_max_def : thm val core_i64_min_def : thm val core_i8_max_def : thm val core_i8_min_def : thm val core_isize_max_def : thm val core_isize_min_def : thm val core_u128_max_def : thm val core_u128_min_def : thm val core_u16_max_def : thm val core_u16_min_def : thm val core_u32_max_def : thm val core_u32_min_def : thm val core_u64_max_def : thm val core_u64_min_def : thm val core_u8_max_def : thm val core_u8_min_def : thm val core_usize_max_def : thm val core_usize_min_def : thm val error_BIJ : thm val error_CASE : thm val error_TY_DEF : thm val error_size_def : thm val get_return_value_def : thm val i128_add_def : thm val i128_div_def : thm val i128_ge_def : thm val i128_gt_def : thm val i128_le_def : thm val i128_lt_def : thm val i128_max_def : thm val i128_min_def : thm val i128_mul_def : thm val i128_neg_def : thm val i128_rem_def : thm val i128_sub_def : thm val i16_add_def : thm val i16_div_def : thm val i16_ge_def : thm val i16_gt_def : thm val i16_le_def : thm val i16_lt_def : thm val i16_max_def : thm val i16_min_def : thm val i16_mul_def : thm val i16_neg_def : thm val i16_rem_def : thm val i16_sub_def : thm val i32_add_def : thm val i32_div_def : thm val i32_ge_def : thm val i32_gt_def : thm val i32_le_def : thm val i32_lt_def : thm val i32_max_def : thm val i32_min_def : thm val i32_mul_def : thm val i32_neg_def : thm val i32_rem_def : thm val i32_sub_def : thm val i64_add_def : thm val i64_div_def : thm val i64_ge_def : thm val i64_gt_def : thm val i64_le_def : thm val i64_lt_def : thm val i64_max_def : thm val i64_min_def : thm val i64_mul_def : thm val i64_neg_def : thm val i64_rem_def : thm val i64_sub_def : thm val i8_add_def : thm val i8_div_def : thm val i8_ge_def : thm val i8_gt_def : thm val i8_le_def : thm val i8_lt_def : thm val i8_max_def : thm val i8_min_def : thm val i8_mul_def : thm val i8_neg_def : thm val i8_rem_def : thm val i8_sub_def : thm val int_rem_def : thm val is_diverge_def : thm val isize_add_def : thm val isize_div_def : thm val isize_ge_def : thm val isize_gt_def : thm val isize_le_def : thm val isize_lt_def : thm val isize_mul_def : thm val isize_neg_def : thm val isize_rem_def : thm val isize_sub_def : thm val massert_def : thm val mem_replace_back_def : thm val mem_replace_fwd_def : thm val mk_i128_def : thm val mk_i16_def : thm val mk_i32_def : thm val mk_i64_def : thm val mk_i8_def : thm val mk_isize_def : thm val mk_u128_def : thm val mk_u16_def : thm val mk_u32_def : thm val mk_u64_def : thm val mk_u8_def : thm val mk_usize_def : thm val result_TY_DEF : thm val result_case_def : thm val result_size_def : thm val return_def : thm val u128_add_def : thm val u128_div_def : thm val u128_ge_def : thm val u128_gt_def : thm val u128_le_def : thm val u128_lt_def : thm val u128_max_def : thm val u128_mul_def : thm val u128_rem_def : thm val u128_sub_def : thm val u16_add_def : thm val u16_div_def : thm val u16_ge_def : thm val u16_gt_def : thm val u16_le_def : thm val u16_lt_def : thm val u16_max_def : thm val u16_mul_def : thm val u16_rem_def : thm val u16_sub_def : thm val u32_add_def : thm val u32_div_def : thm val u32_ge_def : thm val u32_gt_def : thm val u32_le_def : thm val u32_lt_def : thm val u32_max_def : thm val u32_mul_def : thm val u32_rem_def : thm val u32_sub_def : thm val u64_add_def : thm val u64_div_def : thm val u64_ge_def : thm val u64_gt_def : thm val u64_le_def : thm val u64_lt_def : thm val u64_max_def : thm val u64_mul_def : thm val u64_rem_def : thm val u64_sub_def : thm val u8_add_def : thm val u8_div_def : thm val u8_ge_def : thm val u8_gt_def : thm val u8_le_def : thm val u8_lt_def : thm val u8_max_def : thm val u8_mul_def : thm val u8_rem_def : thm val u8_sub_def : thm val usize_add_def : thm val usize_div_def : thm val usize_ge_def : thm val usize_gt_def : thm val usize_le_def : thm val usize_lt_def : thm val usize_mul_def : thm val usize_rem_def : thm val usize_sub_def : thm val vec_index_back_def : thm val vec_index_def : thm val vec_index_fwd_def : thm val vec_index_mut_back_def : thm val vec_index_mut_fwd_def : thm val vec_insert_back_def : thm val vec_len_def : thm val vec_new_def : thm val vec_push_back_def : thm val vec_update_def : thm (* Theorems *) val bind_return_fail_div_eq : thm val datatype_error : thm val datatype_result : thm val error2num_11 : thm val error2num_ONTO : thm val error2num_num2error : thm val error2num_thm : thm val error_Axiom : thm val error_EQ_error : thm val error_case_cong : thm val error_case_def : thm val error_case_eq : thm val error_induction : thm val error_nchotomy : thm val i128_add_eq : thm val i128_div_eq : thm val i128_eq_equiv : thm val i128_mul_eq : thm val i128_neg_eq : thm val i128_rem_eq : thm val i128_sub_eq : thm val i128_to_int_int_to_i128_unfold : thm val i16_add_eq : thm val i16_div_eq : thm val i16_eq_equiv : thm val i16_mul_eq : thm val i16_neg_eq : thm val i16_rem_eq : thm val i16_sub_eq : thm val i16_to_int_int_to_i16_unfold : thm val i32_add_eq : thm val i32_div_eq : thm val i32_eq_equiv : thm val i32_mul_eq : thm val i32_neg_eq : thm val i32_rem_eq : thm val i32_sub_eq : thm val i32_to_int_int_to_i32_unfold : thm val i64_add_eq : thm val i64_div_eq : thm val i64_eq_equiv : thm val i64_mul_eq : thm val i64_neg_eq : thm val i64_rem_eq : thm val i64_sub_eq : thm val i64_to_int_int_to_i64_unfold : thm val i8_add_eq : thm val i8_div_eq : thm val i8_eq_equiv : thm val i8_mul_eq : thm val i8_neg_eq : thm val i8_rem_eq : thm val i8_sub_eq : thm val i8_to_int_int_to_i8_unfold : thm val index_update_diff : thm val index_update_same : thm val isize_add_eq : thm val isize_div_eq : thm val isize_eq_equiv : thm val isize_mul_eq : thm val isize_neg_eq : thm val isize_rem_eq : thm val isize_sub_eq : thm val isize_to_int_int_to_isize_i16_bounds : thm val isize_to_int_int_to_isize_unfold : thm val len_update : thm val mk_isize_unfold : thm val mk_usize_unfold : thm val mk_vec_unfold : thm val num2error_11 : thm val num2error_ONTO : thm val num2error_error2num : thm val num2error_thm : thm val pos_rem_pos_ineqs : thm val result_11 : thm val result_Axiom : thm val result_case_cong : thm val result_case_eq : thm val result_distinct : thm val result_induction : thm val result_nchotomy : thm val u128_add_eq : thm val u128_div_eq : thm val u128_eq_equiv : thm val u128_mul_eq : thm val u128_rem_eq : thm val u128_sub_eq : thm val u128_to_int_int_to_u128_unfold : thm val u16_add_eq : thm val u16_div_eq : thm val u16_eq_equiv : thm val u16_mul_eq : thm val u16_rem_eq : thm val u16_sub_eq : thm val u16_to_int_int_to_u16_unfold : thm val u32_add_eq : thm val u32_div_eq : thm val u32_eq_equiv : thm val u32_mul_eq : thm val u32_rem_eq : thm val u32_sub_eq : thm val u32_to_int_int_to_u32_unfold : thm val u64_add_eq : thm val u64_div_eq : thm val u64_eq_equiv : thm val u64_mul_eq : thm val u64_rem_eq : thm val u64_sub_eq : thm val u64_to_int_int_to_u64_unfold : thm val u8_add_eq : thm val u8_div_eq : thm val u8_eq_equiv : thm val u8_mul_eq : thm val u8_rem_eq : thm val u8_sub_eq : thm val u8_to_int_int_to_u8_unfold : thm val update_len : thm val update_spec : thm val usize_add_eq : thm val usize_div_eq : thm val usize_eq_equiv : thm val usize_mul_eq : thm val usize_rem_eq : thm val usize_sub_eq : thm val usize_to_int_int_to_usize_u16_bounds : thm val usize_to_int_int_to_usize_unfold : thm val vec_index_back_spec : thm val vec_index_fwd_spec : thm val vec_index_mut_back_spec : thm val vec_index_mut_fwd_spec : thm val vec_insert_back_spec : thm val vec_len_spec : thm val vec_len_vec_new : thm val vec_push_back_spec : thm val vec_push_back_unfold : thm val vec_to_list_int_bounds : thm val vec_to_list_vec_new : thm val vec_to_list_vec_update : thm val vec_update_eq : thm val primitives_grammars : type_grammar.grammar * term_grammar.grammar (* [ilist] Parent theory of "primitives" [string] Parent theory of "primitives" [i128_to_int_bounds] Axiom [oracles: ] [axioms: i128_to_int_bounds] [] ⊢ ∀n. i128_min ≤ i128_to_int n ∧ i128_to_int n ≤ i128_max [i128_to_int_int_to_i128] Axiom [oracles: ] [axioms: i128_to_int_int_to_i128] [] ⊢ ∀n. i128_min ≤ n ∧ n ≤ i128_max ⇒ i128_to_int (int_to_i128 n) = n [i16_to_int_bounds] Axiom [oracles: ] [axioms: i16_to_int_bounds] [] ⊢ ∀n. i16_min ≤ i16_to_int n ∧ i16_to_int n ≤ i16_max [i16_to_int_int_to_i16] Axiom [oracles: ] [axioms: i16_to_int_int_to_i16] [] ⊢ ∀n. i16_min ≤ n ∧ n ≤ i16_max ⇒ i16_to_int (int_to_i16 n) = n [i32_to_int_bounds] Axiom [oracles: ] [axioms: i32_to_int_bounds] [] ⊢ ∀n. i32_min ≤ i32_to_int n ∧ i32_to_int n ≤ i32_max [i32_to_int_int_to_i32] Axiom [oracles: ] [axioms: i32_to_int_int_to_i32] [] ⊢ ∀n. i32_min ≤ n ∧ n ≤ i32_max ⇒ i32_to_int (int_to_i32 n) = n [i64_to_int_bounds] Axiom [oracles: ] [axioms: i64_to_int_bounds] [] ⊢ ∀n. i64_min ≤ i64_to_int n ∧ i64_to_int n ≤ i64_max [i64_to_int_int_to_i64] Axiom [oracles: ] [axioms: i64_to_int_int_to_i64] [] ⊢ ∀n. i64_min ≤ n ∧ n ≤ i64_max ⇒ i64_to_int (int_to_i64 n) = n [i8_to_int_bounds] Axiom [oracles: ] [axioms: i8_to_int_bounds] [] ⊢ ∀n. i8_min ≤ i8_to_int n ∧ i8_to_int n ≤ i8_max [i8_to_int_int_to_i8] Axiom [oracles: ] [axioms: i8_to_int_int_to_i8] [] ⊢ ∀n. i8_min ≤ n ∧ n ≤ i8_max ⇒ i8_to_int (int_to_i8 n) = n [int_to_i128_i128_to_int] Axiom [oracles: ] [axioms: int_to_i128_i128_to_int] [] ⊢ ∀i. int_to_i128 (i128_to_int i) = i [int_to_i16_i16_to_int] Axiom [oracles: ] [axioms: int_to_i16_i16_to_int] [] ⊢ ∀i. int_to_i16 (i16_to_int i) = i [int_to_i32_i32_to_int] Axiom [oracles: ] [axioms: int_to_i32_i32_to_int] [] ⊢ ∀i. int_to_i32 (i32_to_int i) = i [int_to_i64_i64_to_int] Axiom [oracles: ] [axioms: int_to_i64_i64_to_int] [] ⊢ ∀i. int_to_i64 (i64_to_int i) = i [int_to_i8_i8_to_int] Axiom [oracles: ] [axioms: int_to_i8_i8_to_int] [] ⊢ ∀i. int_to_i8 (i8_to_int i) = i [int_to_isize_isize_to_int] Axiom [oracles: ] [axioms: int_to_isize_isize_to_int] [] ⊢ ∀i. int_to_isize (isize_to_int i) = i [int_to_u128_u128_to_int] Axiom [oracles: ] [axioms: int_to_u128_u128_to_int] [] ⊢ ∀i. int_to_u128 (u128_to_int i) = i [int_to_u16_u16_to_int] Axiom [oracles: ] [axioms: int_to_u16_u16_to_int] [] ⊢ ∀i. int_to_u16 (u16_to_int i) = i [int_to_u32_u32_to_int] Axiom [oracles: ] [axioms: int_to_u32_u32_to_int] [] ⊢ ∀i. int_to_u32 (u32_to_int i) = i [int_to_u64_u64_to_int] Axiom [oracles: ] [axioms: int_to_u64_u64_to_int] [] ⊢ ∀i. int_to_u64 (u64_to_int i) = i [int_to_u8_u8_to_int] Axiom [oracles: ] [axioms: int_to_u8_u8_to_int] [] ⊢ ∀i. int_to_u8 (u8_to_int i) = i [int_to_usize_usize_to_int] Axiom [oracles: ] [axioms: int_to_usize_usize_to_int] [] ⊢ ∀i. int_to_usize (usize_to_int i) = i [isize_bounds] Axiom [oracles: ] [axioms: isize_bounds] [] ⊢ isize_min ≤ i16_min ∧ i16_max ≤ isize_max [isize_to_int_bounds] Axiom [oracles: ] [axioms: isize_to_int_bounds] [] ⊢ ∀n. isize_min ≤ isize_to_int n ∧ isize_to_int n ≤ isize_max [isize_to_int_int_to_isize] Axiom [oracles: ] [axioms: isize_to_int_int_to_isize] [] ⊢ ∀n. isize_min ≤ n ∧ n ≤ isize_max ⇒ isize_to_int (int_to_isize n) = n [mk_vec_axiom] Axiom [oracles: ] [axioms: mk_vec_axiom] [] ⊢ ∀l. len l ≤ usize_max ⇒ vec_to_list (mk_vec l) = l [u128_to_int_bounds] Axiom [oracles: ] [axioms: u128_to_int_bounds] [] ⊢ ∀n. 0 ≤ u128_to_int n ∧ u128_to_int n ≤ u128_max [u128_to_int_int_to_u128] Axiom [oracles: ] [axioms: u128_to_int_int_to_u128] [] ⊢ ∀n. 0 ≤ n ∧ n ≤ u128_max ⇒ u128_to_int (int_to_u128 n) = n [u16_to_int_bounds] Axiom [oracles: ] [axioms: u16_to_int_bounds] [] ⊢ ∀n. 0 ≤ u16_to_int n ∧ u16_to_int n ≤ u16_max [u16_to_int_int_to_u16] Axiom [oracles: ] [axioms: u16_to_int_int_to_u16] [] ⊢ ∀n. 0 ≤ n ∧ n ≤ u16_max ⇒ u16_to_int (int_to_u16 n) = n [u32_to_int_bounds] Axiom [oracles: ] [axioms: u32_to_int_bounds] [] ⊢ ∀n. 0 ≤ u32_to_int n ∧ u32_to_int n ≤ u32_max [u32_to_int_int_to_u32] Axiom [oracles: ] [axioms: u32_to_int_int_to_u32] [] ⊢ ∀n. 0 ≤ n ∧ n ≤ u32_max ⇒ u32_to_int (int_to_u32 n) = n [u64_to_int_bounds] Axiom [oracles: ] [axioms: u64_to_int_bounds] [] ⊢ ∀n. 0 ≤ u64_to_int n ∧ u64_to_int n ≤ u64_max [u64_to_int_int_to_u64] Axiom [oracles: ] [axioms: u64_to_int_int_to_u64] [] ⊢ ∀n. 0 ≤ n ∧ n ≤ u64_max ⇒ u64_to_int (int_to_u64 n) = n [u8_to_int_bounds] Axiom [oracles: ] [axioms: u8_to_int_bounds] [] ⊢ ∀n. 0 ≤ u8_to_int n ∧ u8_to_int n ≤ u8_max [u8_to_int_int_to_u8] Axiom [oracles: ] [axioms: u8_to_int_int_to_u8] [] ⊢ ∀n. 0 ≤ n ∧ n ≤ u8_max ⇒ u8_to_int (int_to_u8 n) = n [usize_bounds] Axiom [oracles: ] [axioms: usize_bounds] [] ⊢ u16_max ≤ usize_max [usize_to_int_bounds] Axiom [oracles: ] [axioms: usize_to_int_bounds] [] ⊢ ∀n. 0 ≤ usize_to_int n ∧ usize_to_int n ≤ usize_max [usize_to_int_int_to_usize] Axiom [oracles: ] [axioms: usize_to_int_int_to_usize] [] ⊢ ∀n. 0 ≤ n ∧ n ≤ usize_max ⇒ usize_to_int (int_to_usize n) = n [vec_to_list_num_bounds] Axiom [oracles: ] [axioms: vec_to_list_num_bounds] [] ⊢ ∀v. 0 ≤ LENGTH (vec_to_list v) ∧ LENGTH (vec_to_list v) ≤ Num usize_max [bind_def] Definition ⊢ ∀x f. monad_bind x f = case x of Return y => f y | Fail e => Fail e | Diverge => Diverge [core_i128_max_def] Definition ⊢ core_i128_max = int_to_i128 i128_max [core_i128_min_def] Definition ⊢ core_i128_min = int_to_i128 i128_min [core_i16_max_def] Definition ⊢ core_i16_max = int_to_i16 i16_max [core_i16_min_def] Definition ⊢ core_i16_min = int_to_i16 i16_min [core_i32_max_def] Definition ⊢ core_i32_max = int_to_i32 i32_max [core_i32_min_def] Definition ⊢ core_i32_min = int_to_i32 i32_min [core_i64_max_def] Definition ⊢ core_i64_max = int_to_i64 i64_max [core_i64_min_def] Definition ⊢ core_i64_min = int_to_i64 i64_min [core_i8_max_def] Definition ⊢ core_i8_max = int_to_i8 i8_max [core_i8_min_def] Definition ⊢ core_i8_min = int_to_i8 i8_min [core_isize_max_def] Definition ⊢ core_isize_max = int_to_isize isize_max [core_isize_min_def] Definition ⊢ core_isize_min = int_to_isize isize_min [core_u128_max_def] Definition ⊢ core_u128_max = int_to_u128 u128_max [core_u128_min_def] Definition ⊢ core_u128_min = int_to_u128 0 [core_u16_max_def] Definition ⊢ core_u16_max = int_to_u16 u16_max [core_u16_min_def] Definition ⊢ core_u16_min = int_to_u16 0 [core_u32_max_def] Definition ⊢ core_u32_max = int_to_u32 u32_max [core_u32_min_def] Definition ⊢ core_u32_min = int_to_u32 0 [core_u64_max_def] Definition ⊢ core_u64_max = int_to_u64 u64_max [core_u64_min_def] Definition ⊢ core_u64_min = int_to_u64 0 [core_u8_max_def] Definition ⊢ core_u8_max = int_to_u8 u8_max [core_u8_min_def] Definition ⊢ core_u8_min = int_to_u8 0 [core_usize_max_def] Definition ⊢ core_usize_max = int_to_usize usize_max [core_usize_min_def] Definition ⊢ core_usize_min = int_to_usize 0 [error_BIJ] Definition ⊢ (∀a. num2error (error2num a) = a) ∧ ∀r. (λn. n < 1) r ⇔ error2num (num2error r) = r [error_CASE] Definition ⊢ ∀x v0. (case x of Failure => v0) = (λm. v0) (error2num x) [error_TY_DEF] Definition ⊢ ∃rep. TYPE_DEFINITION (λn. n < 1) rep [error_size_def] Definition ⊢ ∀x. error_size x = 0 [get_return_value_def] Definition ⊢ ∀x. get_return_value (Return x) = x [i128_add_def] Definition ⊢ ∀x y. i128_add x y = mk_i128 (i128_to_int x + i128_to_int y) [i128_div_def] Definition ⊢ ∀x y. i128_div x y = if i128_to_int y = 0 then Fail Failure else mk_i128 (i128_to_int x / i128_to_int y) [i128_ge_def] Definition ⊢ ∀x y. i128_ge x y ⇔ i128_to_int x ≥ i128_to_int y [i128_gt_def] Definition ⊢ ∀x y. i128_gt x y ⇔ i128_to_int x > i128_to_int y [i128_le_def] Definition ⊢ ∀x y. i128_le x y ⇔ i128_to_int x ≤ i128_to_int y [i128_lt_def] Definition ⊢ ∀x y. i128_lt x y ⇔ i128_to_int x < i128_to_int y [i128_max_def] Definition ⊢ i128_max = 170141183460469231731687303715884105727 [i128_min_def] Definition ⊢ i128_min = -170141183460469231731687303715884105728 [i128_mul_def] Definition ⊢ ∀x y. i128_mul x y = mk_i128 (i128_to_int x * i128_to_int y) [i128_neg_def] Definition ⊢ ∀x. i128_neg x = mk_i128 (-i128_to_int x) [i128_rem_def] Definition ⊢ ∀x y. i128_rem x y = if i128_to_int y = 0 then Fail Failure else mk_i128 (int_rem (i128_to_int x) (i128_to_int y)) [i128_sub_def] Definition ⊢ ∀x y. i128_sub x y = mk_i128 (i128_to_int x − i128_to_int y) [i16_add_def] Definition ⊢ ∀x y. i16_add x y = mk_i16 (i16_to_int x + i16_to_int y) [i16_div_def] Definition ⊢ ∀x y. i16_div x y = if i16_to_int y = 0 then Fail Failure else mk_i16 (i16_to_int x / i16_to_int y) [i16_ge_def] Definition ⊢ ∀x y. i16_ge x y ⇔ i16_to_int x ≥ i16_to_int y [i16_gt_def] Definition ⊢ ∀x y. i16_gt x y ⇔ i16_to_int x > i16_to_int y [i16_le_def] Definition ⊢ ∀x y. i16_le x y ⇔ i16_to_int x ≤ i16_to_int y [i16_lt_def] Definition ⊢ ∀x y. i16_lt x y ⇔ i16_to_int x < i16_to_int y [i16_max_def] Definition ⊢ i16_max = 32767 [i16_min_def] Definition ⊢ i16_min = -32768 [i16_mul_def] Definition ⊢ ∀x y. i16_mul x y = mk_i16 (i16_to_int x * i16_to_int y) [i16_neg_def] Definition ⊢ ∀x. i16_neg x = mk_i16 (-i16_to_int x) [i16_rem_def] Definition ⊢ ∀x y. i16_rem x y = if i16_to_int y = 0 then Fail Failure else mk_i16 (int_rem (i16_to_int x) (i16_to_int y)) [i16_sub_def] Definition ⊢ ∀x y. i16_sub x y = mk_i16 (i16_to_int x − i16_to_int y) [i32_add_def] Definition ⊢ ∀x y. i32_add x y = mk_i32 (i32_to_int x + i32_to_int y) [i32_div_def] Definition ⊢ ∀x y. i32_div x y = if i32_to_int y = 0 then Fail Failure else mk_i32 (i32_to_int x / i32_to_int y) [i32_ge_def] Definition ⊢ ∀x y. i32_ge x y ⇔ i32_to_int x ≥ i32_to_int y [i32_gt_def] Definition ⊢ ∀x y. i32_gt x y ⇔ i32_to_int x > i32_to_int y [i32_le_def] Definition ⊢ ∀x y. i32_le x y ⇔ i32_to_int x ≤ i32_to_int y [i32_lt_def] Definition ⊢ ∀x y. i32_lt x y ⇔ i32_to_int x < i32_to_int y [i32_max_def] Definition ⊢ i32_max = 2147483647 [i32_min_def] Definition ⊢ i32_min = -2147483648 [i32_mul_def] Definition ⊢ ∀x y. i32_mul x y = mk_i32 (i32_to_int x * i32_to_int y) [i32_neg_def] Definition ⊢ ∀x. i32_neg x = mk_i32 (-i32_to_int x) [i32_rem_def] Definition ⊢ ∀x y. i32_rem x y = if i32_to_int y = 0 then Fail Failure else mk_i32 (int_rem (i32_to_int x) (i32_to_int y)) [i32_sub_def] Definition ⊢ ∀x y. i32_sub x y = mk_i32 (i32_to_int x − i32_to_int y) [i64_add_def] Definition ⊢ ∀x y. i64_add x y = mk_i64 (i64_to_int x + i64_to_int y) [i64_div_def] Definition ⊢ ∀x y. i64_div x y = if i64_to_int y = 0 then Fail Failure else mk_i64 (i64_to_int x / i64_to_int y) [i64_ge_def] Definition ⊢ ∀x y. i64_ge x y ⇔ i64_to_int x ≥ i64_to_int y [i64_gt_def] Definition ⊢ ∀x y. i64_gt x y ⇔ i64_to_int x > i64_to_int y [i64_le_def] Definition ⊢ ∀x y. i64_le x y ⇔ i64_to_int x ≤ i64_to_int y [i64_lt_def] Definition ⊢ ∀x y. i64_lt x y ⇔ i64_to_int x < i64_to_int y [i64_max_def] Definition ⊢ i64_max = 9223372036854775807 [i64_min_def] Definition ⊢ i64_min = -9223372036854775808 [i64_mul_def] Definition ⊢ ∀x y. i64_mul x y = mk_i64 (i64_to_int x * i64_to_int y) [i64_neg_def] Definition ⊢ ∀x. i64_neg x = mk_i64 (-i64_to_int x) [i64_rem_def] Definition ⊢ ∀x y. i64_rem x y = if i64_to_int y = 0 then Fail Failure else mk_i64 (int_rem (i64_to_int x) (i64_to_int y)) [i64_sub_def] Definition ⊢ ∀x y. i64_sub x y = mk_i64 (i64_to_int x − i64_to_int y) [i8_add_def] Definition ⊢ ∀x y. i8_add x y = mk_i8 (i8_to_int x + i8_to_int y) [i8_div_def] Definition ⊢ ∀x y. i8_div x y = if i8_to_int y = 0 then Fail Failure else mk_i8 (i8_to_int x / i8_to_int y) [i8_ge_def] Definition ⊢ ∀x y. i8_ge x y ⇔ i8_to_int x ≥ i8_to_int y [i8_gt_def] Definition ⊢ ∀x y. i8_gt x y ⇔ i8_to_int x > i8_to_int y [i8_le_def] Definition ⊢ ∀x y. i8_le x y ⇔ i8_to_int x ≤ i8_to_int y [i8_lt_def] Definition ⊢ ∀x y. i8_lt x y ⇔ i8_to_int x < i8_to_int y [i8_max_def] Definition ⊢ i8_max = 127 [i8_min_def] Definition ⊢ i8_min = -128 [i8_mul_def] Definition ⊢ ∀x y. i8_mul x y = mk_i8 (i8_to_int x * i8_to_int y) [i8_neg_def] Definition ⊢ ∀x. i8_neg x = mk_i8 (-i8_to_int x) [i8_rem_def] Definition ⊢ ∀x y. i8_rem x y = if i8_to_int y = 0 then Fail Failure else mk_i8 (int_rem (i8_to_int x) (i8_to_int y)) [i8_sub_def] Definition ⊢ ∀x y. i8_sub x y = mk_i8 (i8_to_int x − i8_to_int y) [int_rem_def] Definition ⊢ ∀x y. int_rem x y = if 0 ≤ x ∧ 0 ≤ y ∨ x < 0 ∧ y < 0 then x % y else -(x % y) [is_diverge_def] Definition ⊢ ∀r. is_diverge r ⇔ case r of Return v2 => F | Fail v3 => F | Diverge => T [isize_add_def] Definition ⊢ ∀x y. isize_add x y = mk_isize (isize_to_int x + isize_to_int y) [isize_div_def] Definition ⊢ ∀x y. isize_div x y = if isize_to_int y = 0 then Fail Failure else mk_isize (isize_to_int x / isize_to_int y) [isize_ge_def] Definition ⊢ ∀x y. isize_ge x y ⇔ isize_to_int x ≥ isize_to_int y [isize_gt_def] Definition ⊢ ∀x y. isize_gt x y ⇔ isize_to_int x > isize_to_int y [isize_le_def] Definition ⊢ ∀x y. isize_le x y ⇔ isize_to_int x ≤ isize_to_int y [isize_lt_def] Definition ⊢ ∀x y. isize_lt x y ⇔ isize_to_int x < isize_to_int y [isize_mul_def] Definition ⊢ ∀x y. isize_mul x y = mk_isize (isize_to_int x * isize_to_int y) [isize_neg_def] Definition ⊢ ∀x. isize_neg x = mk_isize (-isize_to_int x) [isize_rem_def] Definition ⊢ ∀x y. isize_rem x y = if isize_to_int y = 0 then Fail Failure else mk_isize (int_rem (isize_to_int x) (isize_to_int y)) [isize_sub_def] Definition ⊢ ∀x y. isize_sub x y = mk_isize (isize_to_int x − isize_to_int y) [massert_def] Definition ⊢ ∀b. massert b = if b then Return () else Fail Failure [mem_replace_back_def] Definition ⊢ ∀x y. mem_replace_back x y = y [mem_replace_fwd_def] Definition ⊢ ∀x y. mem_replace_fwd x y = x [mk_i128_def] Definition ⊢ ∀n. mk_i128 n = if i128_min ≤ n ∧ n ≤ i128_max then Return (int_to_i128 n) else Fail Failure [mk_i16_def] Definition ⊢ ∀n. mk_i16 n = if i16_min ≤ n ∧ n ≤ i16_max then Return (int_to_i16 n) else Fail Failure [mk_i32_def] Definition ⊢ ∀n. mk_i32 n = if i32_min ≤ n ∧ n ≤ i32_max then Return (int_to_i32 n) else Fail Failure [mk_i64_def] Definition ⊢ ∀n. mk_i64 n = if i64_min ≤ n ∧ n ≤ i64_max then Return (int_to_i64 n) else Fail Failure [mk_i8_def] Definition ⊢ ∀n. mk_i8 n = if i8_min ≤ n ∧ n ≤ i8_max then Return (int_to_i8 n) else Fail Failure [mk_isize_def] Definition ⊢ ∀n. mk_isize n = if isize_min ≤ n ∧ n ≤ isize_max then Return (int_to_isize n) else Fail Failure [mk_u128_def] Definition ⊢ ∀n. mk_u128 n = if 0 ≤ n ∧ n ≤ u128_max then Return (int_to_u128 n) else Fail Failure [mk_u16_def] Definition ⊢ ∀n. mk_u16 n = if 0 ≤ n ∧ n ≤ u16_max then Return (int_to_u16 n) else Fail Failure [mk_u32_def] Definition ⊢ ∀n. mk_u32 n = if 0 ≤ n ∧ n ≤ u32_max then Return (int_to_u32 n) else Fail Failure [mk_u64_def] Definition ⊢ ∀n. mk_u64 n = if 0 ≤ n ∧ n ≤ u64_max then Return (int_to_u64 n) else Fail Failure [mk_u8_def] Definition ⊢ ∀n. mk_u8 n = if 0 ≤ n ∧ n ≤ u8_max then Return (int_to_u8 n) else Fail Failure [mk_usize_def] Definition ⊢ ∀n. mk_usize n = if 0 ≤ n ∧ n ≤ usize_max then Return (int_to_usize n) else Fail Failure [result_TY_DEF] Definition ⊢ ∃rep. TYPE_DEFINITION (λa0. ∀ $var$('result'). (∀a0. (∃a. a0 = (λa. ind_type$CONSTR 0 (a,ARB) (λn. ind_type$BOTTOM)) a) ∨ (∃a. a0 = (λa. ind_type$CONSTR (SUC 0) (ARB,a) (λn. ind_type$BOTTOM)) a) ∨ a0 = ind_type$CONSTR (SUC (SUC 0)) (ARB,ARB) (λn. ind_type$BOTTOM) ⇒ $var$('result') a0) ⇒ $var$('result') a0) rep [result_case_def] Definition ⊢ (∀a f f1 v. result_CASE (Return a) f f1 v = f a) ∧ (∀a f f1 v. result_CASE (Fail a) f f1 v = f1 a) ∧ ∀f f1 v. result_CASE Diverge f f1 v = v [result_size_def] Definition ⊢ (∀f a. result_size f (Return a) = 1 + f a) ∧ (∀f a. result_size f (Fail a) = 1 + error_size a) ∧ ∀f. result_size f Diverge = 0 [return_def] Definition ⊢ ∀x. return x = Return x [u128_add_def] Definition ⊢ ∀x y. u128_add x y = mk_u128 (u128_to_int x + u128_to_int y) [u128_div_def] Definition ⊢ ∀x y. u128_div x y = if u128_to_int y = 0 then Fail Failure else mk_u128 (u128_to_int x / u128_to_int y) [u128_ge_def] Definition ⊢ ∀x y. u128_ge x y ⇔ u128_to_int x ≥ u128_to_int y [u128_gt_def] Definition ⊢ ∀x y. u128_gt x y ⇔ u128_to_int x > u128_to_int y [u128_le_def] Definition ⊢ ∀x y. u128_le x y ⇔ u128_to_int x ≤ u128_to_int y [u128_lt_def] Definition ⊢ ∀x y. u128_lt x y ⇔ u128_to_int x < u128_to_int y [u128_max_def] Definition ⊢ u128_max = 340282366920938463463374607431768211455 [u128_mul_def] Definition ⊢ ∀x y. u128_mul x y = mk_u128 (u128_to_int x * u128_to_int y) [u128_rem_def] Definition ⊢ ∀x y. u128_rem x y = if u128_to_int y = 0 then Fail Failure else mk_u128 (int_rem (u128_to_int x) (u128_to_int y)) [u128_sub_def] Definition ⊢ ∀x y. u128_sub x y = mk_u128 (u128_to_int x − u128_to_int y) [u16_add_def] Definition ⊢ ∀x y. u16_add x y = mk_u16 (u16_to_int x + u16_to_int y) [u16_div_def] Definition ⊢ ∀x y. u16_div x y = if u16_to_int y = 0 then Fail Failure else mk_u16 (u16_to_int x / u16_to_int y) [u16_ge_def] Definition ⊢ ∀x y. u16_ge x y ⇔ u16_to_int x ≥ u16_to_int y [u16_gt_def] Definition ⊢ ∀x y. u16_gt x y ⇔ u16_to_int x > u16_to_int y [u16_le_def] Definition ⊢ ∀x y. u16_le x y ⇔ u16_to_int x ≤ u16_to_int y [u16_lt_def] Definition ⊢ ∀x y. u16_lt x y ⇔ u16_to_int x < u16_to_int y [u16_max_def] Definition ⊢ u16_max = 65535 [u16_mul_def] Definition ⊢ ∀x y. u16_mul x y = mk_u16 (u16_to_int x * u16_to_int y) [u16_rem_def] Definition ⊢ ∀x y. u16_rem x y = if u16_to_int y = 0 then Fail Failure else mk_u16 (int_rem (u16_to_int x) (u16_to_int y)) [u16_sub_def] Definition ⊢ ∀x y. u16_sub x y = mk_u16 (u16_to_int x − u16_to_int y) [u32_add_def] Definition ⊢ ∀x y. u32_add x y = mk_u32 (u32_to_int x + u32_to_int y) [u32_div_def] Definition ⊢ ∀x y. u32_div x y = if u32_to_int y = 0 then Fail Failure else mk_u32 (u32_to_int x / u32_to_int y) [u32_ge_def] Definition ⊢ ∀x y. u32_ge x y ⇔ u32_to_int x ≥ u32_to_int y [u32_gt_def] Definition ⊢ ∀x y. u32_gt x y ⇔ u32_to_int x > u32_to_int y [u32_le_def] Definition ⊢ ∀x y. u32_le x y ⇔ u32_to_int x ≤ u32_to_int y [u32_lt_def] Definition ⊢ ∀x y. u32_lt x y ⇔ u32_to_int x < u32_to_int y [u32_max_def] Definition ⊢ u32_max = 4294967295 [u32_mul_def] Definition ⊢ ∀x y. u32_mul x y = mk_u32 (u32_to_int x * u32_to_int y) [u32_rem_def] Definition ⊢ ∀x y. u32_rem x y = if u32_to_int y = 0 then Fail Failure else mk_u32 (int_rem (u32_to_int x) (u32_to_int y)) [u32_sub_def] Definition ⊢ ∀x y. u32_sub x y = mk_u32 (u32_to_int x − u32_to_int y) [u64_add_def] Definition ⊢ ∀x y. u64_add x y = mk_u64 (u64_to_int x + u64_to_int y) [u64_div_def] Definition ⊢ ∀x y. u64_div x y = if u64_to_int y = 0 then Fail Failure else mk_u64 (u64_to_int x / u64_to_int y) [u64_ge_def] Definition ⊢ ∀x y. u64_ge x y ⇔ u64_to_int x ≥ u64_to_int y [u64_gt_def] Definition ⊢ ∀x y. u64_gt x y ⇔ u64_to_int x > u64_to_int y [u64_le_def] Definition ⊢ ∀x y. u64_le x y ⇔ u64_to_int x ≤ u64_to_int y [u64_lt_def] Definition ⊢ ∀x y. u64_lt x y ⇔ u64_to_int x < u64_to_int y [u64_max_def] Definition ⊢ u64_max = 18446744073709551615 [u64_mul_def] Definition ⊢ ∀x y. u64_mul x y = mk_u64 (u64_to_int x * u64_to_int y) [u64_rem_def] Definition ⊢ ∀x y. u64_rem x y = if u64_to_int y = 0 then Fail Failure else mk_u64 (int_rem (u64_to_int x) (u64_to_int y)) [u64_sub_def] Definition ⊢ ∀x y. u64_sub x y = mk_u64 (u64_to_int x − u64_to_int y) [u8_add_def] Definition ⊢ ∀x y. u8_add x y = mk_u8 (u8_to_int x + u8_to_int y) [u8_div_def] Definition ⊢ ∀x y. u8_div x y = if u8_to_int y = 0 then Fail Failure else mk_u8 (u8_to_int x / u8_to_int y) [u8_ge_def] Definition ⊢ ∀x y. u8_ge x y ⇔ u8_to_int x ≥ u8_to_int y [u8_gt_def] Definition ⊢ ∀x y. u8_gt x y ⇔ u8_to_int x > u8_to_int y [u8_le_def] Definition ⊢ ∀x y. u8_le x y ⇔ u8_to_int x ≤ u8_to_int y [u8_lt_def] Definition ⊢ ∀x y. u8_lt x y ⇔ u8_to_int x < u8_to_int y [u8_max_def] Definition ⊢ u8_max = 255 [u8_mul_def] Definition ⊢ ∀x y. u8_mul x y = mk_u8 (u8_to_int x * u8_to_int y) [u8_rem_def] Definition ⊢ ∀x y. u8_rem x y = if u8_to_int y = 0 then Fail Failure else mk_u8 (int_rem (u8_to_int x) (u8_to_int y)) [u8_sub_def] Definition ⊢ ∀x y. u8_sub x y = mk_u8 (u8_to_int x − u8_to_int y) [usize_add_def] Definition ⊢ ∀x y. usize_add x y = mk_usize (usize_to_int x + usize_to_int y) [usize_div_def] Definition ⊢ ∀x y. usize_div x y = if usize_to_int y = 0 then Fail Failure else mk_usize (usize_to_int x / usize_to_int y) [usize_ge_def] Definition ⊢ ∀x y. usize_ge x y ⇔ usize_to_int x ≥ usize_to_int y [usize_gt_def] Definition ⊢ ∀x y. usize_gt x y ⇔ usize_to_int x > usize_to_int y [usize_le_def] Definition ⊢ ∀x y. usize_le x y ⇔ usize_to_int x ≤ usize_to_int y [usize_lt_def] Definition ⊢ ∀x y. usize_lt x y ⇔ usize_to_int x < usize_to_int y [usize_mul_def] Definition ⊢ ∀x y. usize_mul x y = mk_usize (usize_to_int x * usize_to_int y) [usize_rem_def] Definition ⊢ ∀x y. usize_rem x y = if usize_to_int y = 0 then Fail Failure else mk_usize (int_rem (usize_to_int x) (usize_to_int y)) [usize_sub_def] Definition ⊢ ∀x y. usize_sub x y = mk_usize (usize_to_int x − usize_to_int y) [vec_index_back_def] Definition ⊢ ∀v i. vec_index_back v i = if usize_to_int i < usize_to_int (vec_len v) then Return () else Fail Failure [vec_index_def] Definition ⊢ ∀v i. vec_index v i = index (usize_to_int i) (vec_to_list v) [vec_index_fwd_def] Definition ⊢ ∀v i. vec_index_fwd v i = if usize_to_int i ≤ usize_to_int (vec_len v) then Return (vec_index v i) else Fail Failure [vec_index_mut_back_def] Definition ⊢ ∀v i x. vec_index_mut_back v i x = if usize_to_int i ≤ usize_to_int (vec_len v) then Return (vec_update v i x) else Fail Failure [vec_index_mut_fwd_def] Definition ⊢ ∀v i. vec_index_mut_fwd v i = if usize_to_int i ≤ usize_to_int (vec_len v) then Return (vec_index v i) else Fail Failure [vec_insert_back_def] Definition ⊢ ∀v i x. vec_insert_back v i x = if usize_to_int i < usize_to_int (vec_len v) then Return (vec_update v i x) else Fail Failure [vec_len_def] Definition ⊢ ∀v. vec_len v = int_to_usize (len (vec_to_list v)) [vec_new_def] Definition ⊢ vec_new = mk_vec [] [vec_push_back_def] Definition ⊢ ∀v x. vec_push_back v x = if usize_to_int (vec_len v) < usize_max then Return (mk_vec (vec_to_list v ⧺ [x])) else Fail Failure [vec_update_def] Definition ⊢ ∀v i x. vec_update v i x = mk_vec (update (vec_to_list v) (usize_to_int i) x) [bind_return_fail_div_eq] Theorem ⊢ monad_bind (Return x) f = f x ∧ monad_bind (Fail e) f = Fail e ∧ monad_bind Diverge f = Diverge [datatype_error] Theorem ⊢ DATATYPE (error Failure) [datatype_result] Theorem ⊢ DATATYPE (result Return Fail Diverge) [error2num_11] Theorem ⊢ ∀a a'. error2num a = error2num a' ⇔ a = a' [error2num_ONTO] Theorem ⊢ ∀r. r < 1 ⇔ ∃a. r = error2num a [error2num_num2error] Theorem ⊢ ∀r. r < 1 ⇔ error2num (num2error r) = r [error2num_thm] Theorem ⊢ error2num Failure = 0 [error_Axiom] Theorem ⊢ ∀x0. ∃f. f Failure = x0 [error_EQ_error] Theorem ⊢ ∀a a'. a = a' ⇔ error2num a = error2num a' [error_case_cong] Theorem ⊢ ∀M M' v0. M = M' ∧ (M' = Failure ⇒ v0 = v0') ⇒ (case M of Failure => v0) = case M' of Failure => v0' [error_case_def] Theorem ⊢ ∀v0. (case Failure of Failure => v0) = v0 [error_case_eq] Theorem ⊢ (case x of Failure => v0) = v ⇔ x = Failure ∧ v0 = v [error_induction] Theorem ⊢ ∀P. P Failure ⇒ ∀a. P a [error_nchotomy] Theorem ⊢ ∀a. a = Failure [i128_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i128_to_int_int_to_i128, usize_bounds] [] ⊢ ∀x y. i128_min ≤ i128_to_int x + i128_to_int y ⇒ i128_to_int x + i128_to_int y ≤ i128_max ⇒ ∃z. i128_add x y = Return z ∧ i128_to_int z = i128_to_int x + i128_to_int y [i128_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i128_to_int_int_to_i128, usize_bounds] [] ⊢ ∀x y. i128_to_int y ≠ 0 ⇒ i128_min ≤ i128_to_int x / i128_to_int y ⇒ i128_to_int x / i128_to_int y ≤ i128_max ⇒ ∃z. i128_div x y = Return z ∧ i128_to_int z = i128_to_int x / i128_to_int y [i128_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_i128_i128_to_int] [] ⊢ ∀x y. x = y ⇔ i128_to_int x = i128_to_int y [i128_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i128_to_int_int_to_i128, usize_bounds] [] ⊢ ∀x y. i128_min ≤ i128_to_int x * i128_to_int y ⇒ i128_to_int x * i128_to_int y ≤ i128_max ⇒ ∃z. i128_mul x y = Return z ∧ i128_to_int z = i128_to_int x * i128_to_int y [i128_neg_eq] Theorem [oracles: DISK_THM] [axioms: i128_to_int_int_to_i128, isize_bounds] [] ⊢ ∀x y. i128_min ≤ -i128_to_int x ⇒ -i128_to_int x ≤ i128_max ⇒ ∃y. i128_neg x = Return y ∧ i128_to_int y = -i128_to_int x [i128_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i128_to_int_int_to_i128, i128_to_int_bounds, usize_bounds] [] ⊢ ∀x y. i128_to_int y ≠ 0 ⇒ i128_min ≤ int_rem (i128_to_int x) (i128_to_int y) ⇒ int_rem (i128_to_int x) (i128_to_int y) ≤ i128_max ⇒ ∃z. i128_rem x y = Return z ∧ i128_to_int z = int_rem (i128_to_int x) (i128_to_int y) [i128_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i128_to_int_int_to_i128, usize_bounds] [] ⊢ ∀x y. i128_min ≤ i128_to_int x − i128_to_int y ⇒ i128_to_int x − i128_to_int y ≤ i128_max ⇒ ∃z. i128_sub x y = Return z ∧ i128_to_int z = i128_to_int x − i128_to_int y [i128_to_int_int_to_i128_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, i128_to_int_int_to_i128, isize_bounds] [] ⊢ ∀n. i128_to_int (int_to_i128 n) = if i128_min ≤ n ∧ n ≤ i128_max then n else i128_to_int (int_to_i128 n) [i16_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i16_to_int_int_to_i16, usize_bounds] [] ⊢ ∀x y. i16_min ≤ i16_to_int x + i16_to_int y ⇒ i16_to_int x + i16_to_int y ≤ i16_max ⇒ ∃z. i16_add x y = Return z ∧ i16_to_int z = i16_to_int x + i16_to_int y [i16_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i16_to_int_int_to_i16, usize_bounds] [] ⊢ ∀x y. i16_to_int y ≠ 0 ⇒ i16_min ≤ i16_to_int x / i16_to_int y ⇒ i16_to_int x / i16_to_int y ≤ i16_max ⇒ ∃z. i16_div x y = Return z ∧ i16_to_int z = i16_to_int x / i16_to_int y [i16_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_i16_i16_to_int] [] ⊢ ∀x y. x = y ⇔ i16_to_int x = i16_to_int y [i16_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i16_to_int_int_to_i16, usize_bounds] [] ⊢ ∀x y. i16_min ≤ i16_to_int x * i16_to_int y ⇒ i16_to_int x * i16_to_int y ≤ i16_max ⇒ ∃z. i16_mul x y = Return z ∧ i16_to_int z = i16_to_int x * i16_to_int y [i16_neg_eq] Theorem [oracles: DISK_THM] [axioms: i16_to_int_int_to_i16, isize_bounds] [] ⊢ ∀x y. i16_min ≤ -i16_to_int x ⇒ -i16_to_int x ≤ i16_max ⇒ ∃y. i16_neg x = Return y ∧ i16_to_int y = -i16_to_int x [i16_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i16_to_int_int_to_i16, i16_to_int_bounds, usize_bounds] [] ⊢ ∀x y. i16_to_int y ≠ 0 ⇒ i16_min ≤ int_rem (i16_to_int x) (i16_to_int y) ⇒ int_rem (i16_to_int x) (i16_to_int y) ≤ i16_max ⇒ ∃z. i16_rem x y = Return z ∧ i16_to_int z = int_rem (i16_to_int x) (i16_to_int y) [i16_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i16_to_int_int_to_i16, usize_bounds] [] ⊢ ∀x y. i16_min ≤ i16_to_int x − i16_to_int y ⇒ i16_to_int x − i16_to_int y ≤ i16_max ⇒ ∃z. i16_sub x y = Return z ∧ i16_to_int z = i16_to_int x − i16_to_int y [i16_to_int_int_to_i16_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, i16_to_int_int_to_i16, isize_bounds] [] ⊢ ∀n. i16_to_int (int_to_i16 n) = if i16_min ≤ n ∧ n ≤ i16_max then n else i16_to_int (int_to_i16 n) [i32_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i32_to_int_int_to_i32, usize_bounds] [] ⊢ ∀x y. i32_min ≤ i32_to_int x + i32_to_int y ⇒ i32_to_int x + i32_to_int y ≤ i32_max ⇒ ∃z. i32_add x y = Return z ∧ i32_to_int z = i32_to_int x + i32_to_int y [i32_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i32_to_int_int_to_i32, usize_bounds] [] ⊢ ∀x y. i32_to_int y ≠ 0 ⇒ i32_min ≤ i32_to_int x / i32_to_int y ⇒ i32_to_int x / i32_to_int y ≤ i32_max ⇒ ∃z. i32_div x y = Return z ∧ i32_to_int z = i32_to_int x / i32_to_int y [i32_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_i32_i32_to_int] [] ⊢ ∀x y. x = y ⇔ i32_to_int x = i32_to_int y [i32_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i32_to_int_int_to_i32, usize_bounds] [] ⊢ ∀x y. i32_min ≤ i32_to_int x * i32_to_int y ⇒ i32_to_int x * i32_to_int y ≤ i32_max ⇒ ∃z. i32_mul x y = Return z ∧ i32_to_int z = i32_to_int x * i32_to_int y [i32_neg_eq] Theorem [oracles: DISK_THM] [axioms: i32_to_int_int_to_i32, isize_bounds] [] ⊢ ∀x y. i32_min ≤ -i32_to_int x ⇒ -i32_to_int x ≤ i32_max ⇒ ∃y. i32_neg x = Return y ∧ i32_to_int y = -i32_to_int x [i32_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i32_to_int_int_to_i32, i32_to_int_bounds, usize_bounds] [] ⊢ ∀x y. i32_to_int y ≠ 0 ⇒ i32_min ≤ int_rem (i32_to_int x) (i32_to_int y) ⇒ int_rem (i32_to_int x) (i32_to_int y) ≤ i32_max ⇒ ∃z. i32_rem x y = Return z ∧ i32_to_int z = int_rem (i32_to_int x) (i32_to_int y) [i32_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i32_to_int_int_to_i32, usize_bounds] [] ⊢ ∀x y. i32_min ≤ i32_to_int x − i32_to_int y ⇒ i32_to_int x − i32_to_int y ≤ i32_max ⇒ ∃z. i32_sub x y = Return z ∧ i32_to_int z = i32_to_int x − i32_to_int y [i32_to_int_int_to_i32_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, i32_to_int_int_to_i32, isize_bounds] [] ⊢ ∀n. i32_to_int (int_to_i32 n) = if i32_min ≤ n ∧ n ≤ i32_max then n else i32_to_int (int_to_i32 n) [i64_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i64_to_int_int_to_i64, usize_bounds] [] ⊢ ∀x y. i64_min ≤ i64_to_int x + i64_to_int y ⇒ i64_to_int x + i64_to_int y ≤ i64_max ⇒ ∃z. i64_add x y = Return z ∧ i64_to_int z = i64_to_int x + i64_to_int y [i64_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i64_to_int_int_to_i64, usize_bounds] [] ⊢ ∀x y. i64_to_int y ≠ 0 ⇒ i64_min ≤ i64_to_int x / i64_to_int y ⇒ i64_to_int x / i64_to_int y ≤ i64_max ⇒ ∃z. i64_div x y = Return z ∧ i64_to_int z = i64_to_int x / i64_to_int y [i64_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_i64_i64_to_int] [] ⊢ ∀x y. x = y ⇔ i64_to_int x = i64_to_int y [i64_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i64_to_int_int_to_i64, usize_bounds] [] ⊢ ∀x y. i64_min ≤ i64_to_int x * i64_to_int y ⇒ i64_to_int x * i64_to_int y ≤ i64_max ⇒ ∃z. i64_mul x y = Return z ∧ i64_to_int z = i64_to_int x * i64_to_int y [i64_neg_eq] Theorem [oracles: DISK_THM] [axioms: i64_to_int_int_to_i64, isize_bounds] [] ⊢ ∀x y. i64_min ≤ -i64_to_int x ⇒ -i64_to_int x ≤ i64_max ⇒ ∃y. i64_neg x = Return y ∧ i64_to_int y = -i64_to_int x [i64_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i64_to_int_int_to_i64, i64_to_int_bounds, usize_bounds] [] ⊢ ∀x y. i64_to_int y ≠ 0 ⇒ i64_min ≤ int_rem (i64_to_int x) (i64_to_int y) ⇒ int_rem (i64_to_int x) (i64_to_int y) ≤ i64_max ⇒ ∃z. i64_rem x y = Return z ∧ i64_to_int z = int_rem (i64_to_int x) (i64_to_int y) [i64_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i64_to_int_int_to_i64, usize_bounds] [] ⊢ ∀x y. i64_min ≤ i64_to_int x − i64_to_int y ⇒ i64_to_int x − i64_to_int y ≤ i64_max ⇒ ∃z. i64_sub x y = Return z ∧ i64_to_int z = i64_to_int x − i64_to_int y [i64_to_int_int_to_i64_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, i64_to_int_int_to_i64, isize_bounds] [] ⊢ ∀n. i64_to_int (int_to_i64 n) = if i64_min ≤ n ∧ n ≤ i64_max then n else i64_to_int (int_to_i64 n) [i8_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i8_to_int_int_to_i8, usize_bounds] [] ⊢ ∀x y. i8_min ≤ i8_to_int x + i8_to_int y ⇒ i8_to_int x + i8_to_int y ≤ i8_max ⇒ ∃z. i8_add x y = Return z ∧ i8_to_int z = i8_to_int x + i8_to_int y [i8_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i8_to_int_int_to_i8, usize_bounds] [] ⊢ ∀x y. i8_to_int y ≠ 0 ⇒ i8_min ≤ i8_to_int x / i8_to_int y ⇒ i8_to_int x / i8_to_int y ≤ i8_max ⇒ ∃z. i8_div x y = Return z ∧ i8_to_int z = i8_to_int x / i8_to_int y [i8_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_i8_i8_to_int] [] ⊢ ∀x y. x = y ⇔ i8_to_int x = i8_to_int y [i8_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i8_to_int_int_to_i8, usize_bounds] [] ⊢ ∀x y. i8_min ≤ i8_to_int x * i8_to_int y ⇒ i8_to_int x * i8_to_int y ≤ i8_max ⇒ ∃z. i8_mul x y = Return z ∧ i8_to_int z = i8_to_int x * i8_to_int y [i8_neg_eq] Theorem [oracles: DISK_THM] [axioms: i8_to_int_int_to_i8, isize_bounds] [] ⊢ ∀x y. i8_min ≤ -i8_to_int x ⇒ -i8_to_int x ≤ i8_max ⇒ ∃y. i8_neg x = Return y ∧ i8_to_int y = -i8_to_int x [i8_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i8_to_int_int_to_i8, i8_to_int_bounds, usize_bounds] [] ⊢ ∀x y. i8_to_int y ≠ 0 ⇒ i8_min ≤ int_rem (i8_to_int x) (i8_to_int y) ⇒ int_rem (i8_to_int x) (i8_to_int y) ≤ i8_max ⇒ ∃z. i8_rem x y = Return z ∧ i8_to_int z = int_rem (i8_to_int x) (i8_to_int y) [i8_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, i8_to_int_int_to_i8, usize_bounds] [] ⊢ ∀x y. i8_min ≤ i8_to_int x − i8_to_int y ⇒ i8_to_int x − i8_to_int y ≤ i8_max ⇒ ∃z. i8_sub x y = Return z ∧ i8_to_int z = i8_to_int x − i8_to_int y [i8_to_int_int_to_i8_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, i8_to_int_int_to_i8, isize_bounds] [] ⊢ ∀n. i8_to_int (int_to_i8 n) = if i8_min ≤ n ∧ n ≤ i8_max then n else i8_to_int (int_to_i8 n) [index_update_diff] Theorem ⊢ ∀ls i j y. 0 ≤ i ⇒ i < len ls ⇒ index i (update ls i y) = y [index_update_same] Theorem ⊢ ∀ls i j y. 0 ≤ i ⇒ i < len ls ⇒ j < len ls ⇒ j ≠ i ⇒ index j (update ls i y) = index j ls [isize_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, isize_to_int_int_to_isize, isize_to_int_bounds, usize_bounds] [] ⊢ ∀x y. i16_min ≤ isize_to_int x + isize_to_int y ∨ isize_min ≤ isize_to_int x + isize_to_int y ⇒ isize_to_int x + isize_to_int y ≤ i16_max ∨ isize_to_int x + isize_to_int y ≤ isize_max ⇒ ∃z. isize_add x y = Return z ∧ isize_to_int z = isize_to_int x + isize_to_int y [isize_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, isize_to_int_int_to_isize, isize_to_int_bounds, usize_bounds] [] ⊢ ∀x y. isize_to_int y ≠ 0 ⇒ i16_min ≤ isize_to_int x / isize_to_int y ∨ isize_min ≤ isize_to_int x / isize_to_int y ⇒ isize_to_int x / isize_to_int y ≤ i16_max ∨ isize_to_int x / isize_to_int y ≤ isize_max ⇒ ∃z. isize_div x y = Return z ∧ isize_to_int z = isize_to_int x / isize_to_int y [isize_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_isize_isize_to_int] [] ⊢ ∀x y. x = y ⇔ isize_to_int x = isize_to_int y [isize_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, isize_to_int_int_to_isize, isize_to_int_bounds, usize_bounds] [] ⊢ ∀x y. i16_min ≤ isize_to_int x * isize_to_int y ∨ isize_min ≤ isize_to_int x * isize_to_int y ⇒ isize_to_int x * isize_to_int y ≤ i16_max ∨ isize_to_int x * isize_to_int y ≤ isize_max ⇒ ∃z. isize_mul x y = Return z ∧ isize_to_int z = isize_to_int x * isize_to_int y [isize_neg_eq] Theorem [oracles: DISK_THM] [axioms: isize_to_int_int_to_isize, isize_bounds] [] ⊢ ∀x y. isize_min ≤ -isize_to_int x ⇒ -isize_to_int x ≤ isize_max ⇒ ∃y. isize_neg x = Return y ∧ isize_to_int y = -isize_to_int x [isize_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, isize_to_int_int_to_isize, isize_to_int_bounds, usize_bounds] [] ⊢ ∀x y. isize_to_int y ≠ 0 ⇒ i16_min ≤ int_rem (isize_to_int x) (isize_to_int y) ∨ isize_min ≤ int_rem (isize_to_int x) (isize_to_int y) ⇒ int_rem (isize_to_int x) (isize_to_int y) ≤ i16_max ∨ int_rem (isize_to_int x) (isize_to_int y) ≤ isize_max ⇒ ∃z. isize_rem x y = Return z ∧ isize_to_int z = int_rem (isize_to_int x) (isize_to_int y) [isize_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, isize_to_int_int_to_isize, isize_to_int_bounds, usize_bounds] [] ⊢ ∀x y. i16_min ≤ isize_to_int x − isize_to_int y ∨ isize_min ≤ isize_to_int x − isize_to_int y ⇒ isize_to_int x − isize_to_int y ≤ i16_max ∨ isize_to_int x − isize_to_int y ≤ isize_max ⇒ ∃z. isize_sub x y = Return z ∧ isize_to_int z = isize_to_int x − isize_to_int y [isize_to_int_int_to_isize_i16_bounds] Theorem [oracles: DISK_THM] [axioms: isize_to_int_int_to_isize, isize_bounds] [] ⊢ ∀n. i16_min ≤ n ∧ n ≤ i16_max ⇒ isize_to_int (int_to_isize n) = n [isize_to_int_int_to_isize_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, isize_to_int_int_to_isize, isize_bounds] [] ⊢ ∀n. isize_to_int (int_to_isize n) = if i16_min ≤ n ∧ n ≤ i16_max then n else isize_to_int (int_to_isize n) [len_update] Theorem ⊢ ∀ls i y. len (update ls i y) = len ls [mk_isize_unfold] Theorem [oracles: DISK_THM] [axioms: isize_bounds] [] ⊢ ∀n. mk_isize n = if (i16_min ≤ n ∨ isize_min ≤ n) ∧ (n ≤ i16_max ∨ n ≤ isize_max) then Return (int_to_isize n) else Fail Failure [mk_usize_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds] [] ⊢ ∀n. mk_usize n = if 0 ≤ n ∧ (n ≤ u16_max ∨ n ≤ usize_max) then Return (int_to_usize n) else Fail Failure [mk_vec_unfold] Theorem [oracles: DISK_THM] [axioms: mk_vec_axiom, usize_bounds] [] ⊢ ∀l. vec_to_list (mk_vec l) = if len l ≤ u16_max then l else vec_to_list (mk_vec l) [num2error_11] Theorem ⊢ ∀r r'. r < 1 ⇒ r' < 1 ⇒ (num2error r = num2error r' ⇔ r = r') [num2error_ONTO] Theorem ⊢ ∀a. ∃r. a = num2error r ∧ r < 1 [num2error_error2num] Theorem ⊢ ∀a. num2error (error2num a) = a [num2error_thm] Theorem ⊢ num2error 0 = Failure [pos_rem_pos_ineqs] Theorem ⊢ ∀x y. 0 ≤ x ⇒ 0 < y ⇒ 0 ≤ int_rem x y ∧ int_rem x y < y [result_11] Theorem ⊢ (∀a a'. Return a = Return a' ⇔ a = a') ∧ ∀a a'. Fail a = Fail a' ⇔ a = a' [result_Axiom] Theorem ⊢ ∀f0 f1 f2. ∃fn. (∀a. fn (Return a) = f0 a) ∧ (∀a. fn (Fail a) = f1 a) ∧ fn Diverge = f2 [result_case_cong] Theorem ⊢ ∀M M' f f1 v. M = M' ∧ (∀a. M' = Return a ⇒ f a = f' a) ∧ (∀a. M' = Fail a ⇒ f1 a = f1' a) ∧ (M' = Diverge ⇒ v = v') ⇒ result_CASE M f f1 v = result_CASE M' f' f1' v' [result_case_eq] Theorem ⊢ result_CASE x f f1 v = v' ⇔ (∃a. x = Return a ∧ f a = v') ∨ (∃e. x = Fail e ∧ f1 e = v') ∨ x = Diverge ∧ v = v' [result_distinct] Theorem ⊢ (∀a' a. Return a ≠ Fail a') ∧ (∀a. Return a ≠ Diverge) ∧ ∀a. Fail a ≠ Diverge [result_induction] Theorem ⊢ ∀P. (∀a. P (Return a)) ∧ (∀e. P (Fail e)) ∧ P Diverge ⇒ ∀r. P r [result_nchotomy] Theorem ⊢ ∀rr. (∃a. rr = Return a) ∨ (∃e. rr = Fail e) ∨ rr = Diverge [u128_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u128_to_int_int_to_u128, u128_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u128_to_int x + u128_to_int y ≤ u128_max ⇒ ∃z. u128_add x y = Return z ∧ u128_to_int z = u128_to_int x + u128_to_int y [u128_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u128_to_int_int_to_u128, u128_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u128_to_int y ≠ 0 ⇒ ∃z. u128_div x y = Return z ∧ u128_to_int z = u128_to_int x / u128_to_int y [u128_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_u128_u128_to_int] [] ⊢ ∀x y. x = y ⇔ u128_to_int x = u128_to_int y [u128_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u128_to_int_int_to_u128, u128_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u128_to_int x * u128_to_int y ≤ u128_max ⇒ ∃z. u128_mul x y = Return z ∧ u128_to_int z = u128_to_int x * u128_to_int y [u128_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u128_to_int_int_to_u128, u128_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u128_to_int y ≠ 0 ⇒ ∃z. u128_rem x y = Return z ∧ u128_to_int z = int_rem (u128_to_int x) (u128_to_int y) [u128_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u128_to_int_int_to_u128, u128_to_int_bounds, usize_bounds] [] ⊢ ∀x y. 0 ≤ u128_to_int x − u128_to_int y ⇒ ∃z. u128_sub x y = Return z ∧ u128_to_int z = u128_to_int x − u128_to_int y [u128_to_int_int_to_u128_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, u128_to_int_int_to_u128, isize_bounds] [] ⊢ ∀n. u128_to_int (int_to_u128 n) = if 0 ≤ n ∧ n ≤ u128_max then n else u128_to_int (int_to_u128 n) [u16_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u16_to_int_int_to_u16, u16_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u16_to_int x + u16_to_int y ≤ u16_max ⇒ ∃z. u16_add x y = Return z ∧ u16_to_int z = u16_to_int x + u16_to_int y [u16_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u16_to_int_int_to_u16, u16_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u16_to_int y ≠ 0 ⇒ ∃z. u16_div x y = Return z ∧ u16_to_int z = u16_to_int x / u16_to_int y [u16_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_u16_u16_to_int] [] ⊢ ∀x y. x = y ⇔ u16_to_int x = u16_to_int y [u16_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u16_to_int_int_to_u16, u16_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u16_to_int x * u16_to_int y ≤ u16_max ⇒ ∃z. u16_mul x y = Return z ∧ u16_to_int z = u16_to_int x * u16_to_int y [u16_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u16_to_int_int_to_u16, u16_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u16_to_int y ≠ 0 ⇒ ∃z. u16_rem x y = Return z ∧ u16_to_int z = int_rem (u16_to_int x) (u16_to_int y) [u16_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u16_to_int_int_to_u16, u16_to_int_bounds, usize_bounds] [] ⊢ ∀x y. 0 ≤ u16_to_int x − u16_to_int y ⇒ ∃z. u16_sub x y = Return z ∧ u16_to_int z = u16_to_int x − u16_to_int y [u16_to_int_int_to_u16_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, u16_to_int_int_to_u16, isize_bounds] [] ⊢ ∀n. u16_to_int (int_to_u16 n) = if 0 ≤ n ∧ n ≤ u16_max then n else u16_to_int (int_to_u16 n) [u32_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u32_to_int_int_to_u32, u32_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u32_to_int x + u32_to_int y ≤ u32_max ⇒ ∃z. u32_add x y = Return z ∧ u32_to_int z = u32_to_int x + u32_to_int y [u32_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u32_to_int_int_to_u32, u32_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u32_to_int y ≠ 0 ⇒ ∃z. u32_div x y = Return z ∧ u32_to_int z = u32_to_int x / u32_to_int y [u32_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_u32_u32_to_int] [] ⊢ ∀x y. x = y ⇔ u32_to_int x = u32_to_int y [u32_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u32_to_int_int_to_u32, u32_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u32_to_int x * u32_to_int y ≤ u32_max ⇒ ∃z. u32_mul x y = Return z ∧ u32_to_int z = u32_to_int x * u32_to_int y [u32_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u32_to_int_int_to_u32, u32_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u32_to_int y ≠ 0 ⇒ ∃z. u32_rem x y = Return z ∧ u32_to_int z = int_rem (u32_to_int x) (u32_to_int y) [u32_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u32_to_int_int_to_u32, u32_to_int_bounds, usize_bounds] [] ⊢ ∀x y. 0 ≤ u32_to_int x − u32_to_int y ⇒ ∃z. u32_sub x y = Return z ∧ u32_to_int z = u32_to_int x − u32_to_int y [u32_to_int_int_to_u32_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, u32_to_int_int_to_u32, isize_bounds] [] ⊢ ∀n. u32_to_int (int_to_u32 n) = if 0 ≤ n ∧ n ≤ u32_max then n else u32_to_int (int_to_u32 n) [u64_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u64_to_int_int_to_u64, u64_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u64_to_int x + u64_to_int y ≤ u64_max ⇒ ∃z. u64_add x y = Return z ∧ u64_to_int z = u64_to_int x + u64_to_int y [u64_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u64_to_int_int_to_u64, u64_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u64_to_int y ≠ 0 ⇒ ∃z. u64_div x y = Return z ∧ u64_to_int z = u64_to_int x / u64_to_int y [u64_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_u64_u64_to_int] [] ⊢ ∀x y. x = y ⇔ u64_to_int x = u64_to_int y [u64_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u64_to_int_int_to_u64, u64_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u64_to_int x * u64_to_int y ≤ u64_max ⇒ ∃z. u64_mul x y = Return z ∧ u64_to_int z = u64_to_int x * u64_to_int y [u64_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u64_to_int_int_to_u64, u64_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u64_to_int y ≠ 0 ⇒ ∃z. u64_rem x y = Return z ∧ u64_to_int z = int_rem (u64_to_int x) (u64_to_int y) [u64_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u64_to_int_int_to_u64, u64_to_int_bounds, usize_bounds] [] ⊢ ∀x y. 0 ≤ u64_to_int x − u64_to_int y ⇒ ∃z. u64_sub x y = Return z ∧ u64_to_int z = u64_to_int x − u64_to_int y [u64_to_int_int_to_u64_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, u64_to_int_int_to_u64, isize_bounds] [] ⊢ ∀n. u64_to_int (int_to_u64 n) = if 0 ≤ n ∧ n ≤ u64_max then n else u64_to_int (int_to_u64 n) [u8_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u8_to_int_int_to_u8, u8_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u8_to_int x + u8_to_int y ≤ u8_max ⇒ ∃z. u8_add x y = Return z ∧ u8_to_int z = u8_to_int x + u8_to_int y [u8_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u8_to_int_int_to_u8, u8_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u8_to_int y ≠ 0 ⇒ ∃z. u8_div x y = Return z ∧ u8_to_int z = u8_to_int x / u8_to_int y [u8_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_u8_u8_to_int] [] ⊢ ∀x y. x = y ⇔ u8_to_int x = u8_to_int y [u8_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u8_to_int_int_to_u8, u8_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u8_to_int x * u8_to_int y ≤ u8_max ⇒ ∃z. u8_mul x y = Return z ∧ u8_to_int z = u8_to_int x * u8_to_int y [u8_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u8_to_int_int_to_u8, u8_to_int_bounds, usize_bounds] [] ⊢ ∀x y. u8_to_int y ≠ 0 ⇒ ∃z. u8_rem x y = Return z ∧ u8_to_int z = int_rem (u8_to_int x) (u8_to_int y) [u8_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, u8_to_int_int_to_u8, u8_to_int_bounds, usize_bounds] [] ⊢ ∀x y. 0 ≤ u8_to_int x − u8_to_int y ⇒ ∃z. u8_sub x y = Return z ∧ u8_to_int z = u8_to_int x − u8_to_int y [u8_to_int_int_to_u8_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, u8_to_int_int_to_u8, isize_bounds] [] ⊢ ∀n. u8_to_int (int_to_u8 n) = if 0 ≤ n ∧ n ≤ u8_max then n else u8_to_int (int_to_u8 n) [update_len] Theorem ⊢ ∀ls i y. len (update ls i y) = len ls [update_spec] Theorem ⊢ ∀ls i y. len (update ls i y) = len ls ∧ (0 ≤ i ⇒ i < len ls ⇒ index i (update ls i y) = y ∧ ∀j. j < len ls ⇒ j ≠ i ⇒ index j (update ls i y) = index j ls) [usize_add_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, usize_to_int_int_to_usize, usize_to_int_bounds, usize_bounds] [] ⊢ ∀x y. usize_to_int x + usize_to_int y ≤ u16_max ∨ usize_to_int x + usize_to_int y ≤ usize_max ⇒ ∃z. usize_add x y = Return z ∧ usize_to_int z = usize_to_int x + usize_to_int y [usize_div_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, usize_to_int_int_to_usize, usize_to_int_bounds, usize_bounds] [] ⊢ ∀x y. usize_to_int y ≠ 0 ⇒ ∃z. usize_div x y = Return z ∧ usize_to_int z = usize_to_int x / usize_to_int y [usize_eq_equiv] Theorem [oracles: DISK_THM] [axioms: int_to_usize_usize_to_int] [] ⊢ ∀x y. x = y ⇔ usize_to_int x = usize_to_int y [usize_mul_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, usize_to_int_int_to_usize, usize_to_int_bounds, usize_bounds] [] ⊢ ∀x y. usize_to_int x * usize_to_int y ≤ u16_max ∨ usize_to_int x * usize_to_int y ≤ usize_max ⇒ ∃z. usize_mul x y = Return z ∧ usize_to_int z = usize_to_int x * usize_to_int y [usize_rem_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, usize_to_int_int_to_usize, usize_to_int_bounds, usize_bounds] [] ⊢ ∀x y. usize_to_int y ≠ 0 ⇒ ∃z. usize_rem x y = Return z ∧ usize_to_int z = int_rem (usize_to_int x) (usize_to_int y) [usize_sub_eq] Theorem [oracles: DISK_THM] [axioms: isize_bounds, usize_to_int_int_to_usize, usize_to_int_bounds, usize_bounds] [] ⊢ ∀x y. 0 ≤ usize_to_int x − usize_to_int y ⇒ ∃z. usize_sub x y = Return z ∧ usize_to_int z = usize_to_int x − usize_to_int y [usize_to_int_int_to_usize_u16_bounds] Theorem [oracles: DISK_THM] [axioms: usize_to_int_int_to_usize, usize_bounds] [] ⊢ ∀n. 0 ≤ n ∧ n ≤ u16_max ⇒ usize_to_int (int_to_usize n) = n [usize_to_int_int_to_usize_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds, usize_to_int_int_to_usize, isize_bounds] [] ⊢ ∀n. usize_to_int (int_to_usize n) = if 0 ≤ n ∧ n ≤ u16_max then n else usize_to_int (int_to_usize n) [vec_index_back_spec] Theorem ⊢ ∀v i. usize_to_int i < usize_to_int (vec_len v) ⇒ vec_index_back v i = Return () [vec_index_fwd_spec] Theorem ⊢ ∀v i. usize_to_int i < usize_to_int (vec_len v) ⇒ vec_index_fwd v i = Return (vec_index v i) [vec_index_mut_back_spec] Theorem ⊢ ∀v i x. usize_to_int i < usize_to_int (vec_len v) ⇒ vec_index_mut_back v i x = Return (vec_update v i x) [vec_index_mut_fwd_spec] Theorem ⊢ ∀v i. usize_to_int i < usize_to_int (vec_len v) ⇒ vec_index_mut_fwd v i = Return (vec_index v i) [vec_insert_back_spec] Theorem ⊢ ∀v i x. usize_to_int i < usize_to_int (vec_len v) ⇒ vec_insert_back v i x = Return (vec_update v i x) [vec_len_spec] Theorem [oracles: DISK_THM] [axioms: usize_bounds, vec_to_list_num_bounds] [] ⊢ ∀v. vec_len v = int_to_usize (len (vec_to_list v)) ∧ 0 ≤ len (vec_to_list v) ∧ len (vec_to_list v) ≤ usize_max [vec_len_vec_new] Theorem [oracles: DISK_THM] [axioms: mk_vec_axiom, usize_bounds] [] ⊢ vec_len vec_new = int_to_usize 0 [vec_push_back_spec] Theorem [oracles: DISK_THM] [axioms: usize_to_int_int_to_usize, mk_vec_axiom, usize_bounds, vec_to_list_num_bounds] [] ⊢ ∀v x. usize_to_int (vec_len v) < usize_max ⇒ ∃nv. vec_push_back v x = Return nv ∧ vec_to_list nv = vec_to_list v ⧺ [x] [vec_push_back_unfold] Theorem [oracles: DISK_THM] [axioms: usize_bounds] [] ⊢ ∀v x. vec_push_back v x = if usize_to_int (vec_len v) < u16_max ∨ usize_to_int (vec_len v) < usize_max then Return (mk_vec (vec_to_list v ⧺ [x])) else Fail Failure [vec_to_list_int_bounds] Theorem [oracles: DISK_THM] [axioms: usize_bounds, vec_to_list_num_bounds] [] ⊢ ∀v. 0 ≤ len (vec_to_list v) ∧ len (vec_to_list v) ≤ usize_max [vec_to_list_vec_new] Theorem [oracles: DISK_THM] [axioms: mk_vec_axiom, usize_bounds] [] ⊢ vec_to_list vec_new = [] [vec_to_list_vec_update] Theorem [oracles: DISK_THM] [axioms: mk_vec_axiom, usize_to_int_bounds, usize_to_int_int_to_usize, usize_bounds, vec_to_list_num_bounds] [] ⊢ ∀v i x. vec_to_list (vec_update v i x) = update (vec_to_list v) (usize_to_int i) x [vec_update_eq] Theorem [oracles: DISK_THM] [axioms: vec_to_list_num_bounds, usize_bounds, usize_to_int_int_to_usize, usize_to_int_bounds, mk_vec_axiom] [] ⊢ ∀v i x. (let nv = vec_update v i x in len (vec_to_list nv) = len (vec_to_list v) ∧ len (update (vec_to_list v) (usize_to_int i) x) = len (vec_to_list v) ∧ (usize_to_int i < len (vec_to_list v) ⇒ vec_index nv i = x ∧ ∀j. usize_to_int j < usize_to_int (vec_len nv) ⇒ usize_to_int j ≠ usize_to_int i ⇒ vec_index nv j = vec_index v j)) *) end