@ -74,6 +74,13 @@ end
 
			
		
	
		
		
			
				
					
					(* *  generic command: [{foot ∧ sub} ms := - {post}]  *) (* *  generic command: [{foot ∧ sub} ms := - {post}]  *)  
			
		
	
		
		
			
				
					
					type  spec  =  { foot :  Sh . t ;  sub :  Var . Subst . t ;  ms :  Var . Set . t ;  post :  Sh . t } type  spec  =  { foot :  Sh . t ;  sub :  Var . Subst . t ;  ms :  Var . Set . t ;  post :  Sh . t }  
			
		
	
		
		
			
				
					
					
 
			
		
	
		
		
			
				
					
					let  gen_spec  us  specm  =  
			
		
	
		
		
			
				
					
					  let  xs ,  spec  =  Fresh . gen  ~ wrt : us  specm  in 
 
			
		
	
		
		
			
				
					
					  let  us  =  Var . Set . union  xs  ( Var . Set . union  spec . foot . us  spec . post . us )  in 
 
			
		
	
		
		
			
				
					
					  let  foot  =  Sh . extend_us  us  spec . foot  in 
 
			
		
	
		
		
			
				
					
					  let  post  =  Sh . extend_us  us  spec . post  in 
 
			
		
	
		
		
			
				
					
					  ( xs ,  { spec  with  foot ;  post } ) 
 
			
		
	
		
		
			
				
					
					
 
			
		
	
		
		
			
				
					
					(* (*  
			
		
	
		
		
			
				
					
					 *  Instruction  small  axioms 
 *  Instruction  small  axioms 
 
			
		
	
		
		
			
				
					
					 * ) 
 * ) 
 
			
		
	
	
		
		
			
				
					
						
							
								 
						
						
							
								 
						
						
					 
					@ -638,12 +645,13 @@ let check_preserve_us (q0 : Sh.t) (q1 : Sh.t) =
 
			
		
	
		
		
			
				
					
					  ( Var . Set . is_empty  gain_us  | |  fail  " gain us: %a "  Var . Set . pp  gain_us  () ) 
  ( Var . Set . is_empty  gain_us  | |  fail  " gain us: %a "  Var . Set . pp  gain_us  () ) 
 
			
		
	
		
		
			
				
					
					  &&  ( Var . Set . is_empty  lose_us  | |  fail  " lose us: %a "  Var . Set . pp  lose_us  () ) 
  &&  ( Var . Set . is_empty  lose_us  | |  fail  " lose us: %a "  Var . Set . pp  lose_us  () ) 
 
			
		
	
		
		
			
				
					
					
 
			
		
	
		
		
			
				
					
					(*  execute a command with given spec with ghost vars from pre  *) (*  execute a command with given explicitly-quantified spec from  
			
				
				
			
		
	
		
		
			
				
					
					let  exec_spec_  ( pre0  :  Sh . t )  ( xs ,  { foot ;  sub ;  ms ;  post } )  =    explicitly - quantified  pre  * ) 
 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					let  exec_spec_  ( xs ,  pre )  ( gs ,  { foot ;  sub ;  ms ;  post } )  =  
			
		
	
		
		
			
				
					
					  ( [ % Trace . call  fun  { pf }  -> 
  ( [ % Trace . call  fun  { pf }  -> 
 
			
		
	
		
		
			
				
					
					     pf  " @[%a@]@ @[<2>%a@,@[<hv>{%a  %a}@;<1 -1>%a--@ {%a  }@]@] "  Sh . pp  pre 0 
     pf  " @[%a@]@ @[<2>%a@,@[<hv>{%a  %a}@;<1 -1>%a--@ {%a  }@]@] "  Sh . pp  pre 
 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					       ( Sh . pp_us  ~ pre : " @<2>∀  "  () ) 
       ( Sh . pp_us  ~ pre : " @<2>∀  "  () ) 
 
			
		
	
		
		
			
				
					
					       x s Sh . pp  foot 
       g s Sh . pp  foot 
 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					       ( fun  fs  sub  -> 
       ( fun  fs  sub  -> 
 
			
		
	
		
		
			
				
					
					         if  not  ( Var . Subst . is_empty  sub )  then 
         if  not  ( Var . Subst . is_empty  sub )  then 
 
			
		
	
		
		
			
				
					
					           Format . fprintf  fs  " ∧ %a "  Var . Subst . pp  sub  ) 
           Format . fprintf  fs  " ∧ %a "  Var . Subst . pp  sub  ) 
 
			
		
	
	
		
		
			
				
					
						
						
						
							
								 
						
					 
					@ -652,47 +660,50 @@ let exec_spec_ (pre0 : Sh.t) (xs, {foot; sub; ms; post}) =
 
			
		
	
		
		
			
				
					
					         if  not  ( Var . Set . is_empty  ms )  then 
         if  not  ( Var . Set . is_empty  ms )  then 
 
			
		
	
		
		
			
				
					
					           Format . fprintf  fs  " %a :=  "  Var . Set . pp  ms  ) 
           Format . fprintf  fs  " %a :=  "  Var . Set . pp  ms  ) 
 
			
		
	
		
		
			
				
					
					       ms  Sh . pp  post  ; 
       ms  Sh . pp  post  ; 
 
			
		
	
		
		
			
				
					
					     (*   xs contains all vars in spec not in pre0 .us *) 
     (*   gs contains all vars in spec not in pre .us *) 
 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					     assert  ( 
     assert  ( 
 
			
		
	
		
		
			
				
					
					       let  vs  =  Var . Set . ( diff  ( diff  foot . us  xs)  pre0  . us )  in 
       let  vs  =  Var . Set . ( diff  ( diff  foot . us  gs)  pre  . us )  in 
 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					       Var . Set . is_empty  vs  | |  fail  " unbound foot: {%a} "  Var . Set . pp  vs  ()  )  ; 
       Var . Set . is_empty  vs  | |  fail  " unbound foot: {%a} "  Var . Set . pp  vs  ()  )  ; 
 
			
		
	
		
		
			
				
					
					     assert  ( 
     assert  ( 
 
			
		
	
		
		
			
				
					
					       let  vs  =  Var . Set . ( diff  ( diff  ms  xs)  pre0  . us )  in 
       let  vs  =  Var . Set . ( diff  ( diff  ms  gs)  pre  . us )  in 
 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					       Var . Set . is_empty  vs  | |  fail  " unbound modif: {%a} "  Var . Set . pp  vs  ()  )  ; 
       Var . Set . is_empty  vs  | |  fail  " unbound modif: {%a} "  Var . Set . pp  vs  ()  )  ; 
 
			
		
	
		
		
			
				
					
					     assert  ( 
     assert  ( 
 
			
		
	
		
		
			
				
					
					       let  vs  =  Var . Set . ( diff  ( diff  ( Var . Subst . domain  sub )  xs)  pre0  . us )  in 
       let  vs  =  Var . Set . ( diff  ( diff  ( Var . Subst . domain  sub )  gs)  pre  . us )  in 
 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					       Var . Set . is_empty  vs  | |  fail  " unbound write: {%a} "  Var . Set . pp  vs  ()  )  ; 
       Var . Set . is_empty  vs  | |  fail  " unbound write: {%a} "  Var . Set . pp  vs  ()  )  ; 
 
			
		
	
		
		
			
				
					
					     assert  ( 
     assert  ( 
 
			
		
	
		
		
			
				
					
					       let  vs  =  Var . Set . ( diff  ( diff  ( Var . Subst . range  sub )  xs)  pre0  . us )  in 
       let  vs  =  Var . Set . ( diff  ( diff  ( Var . Subst . range  sub )  gs)  pre  . us )  in 
 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					       Var . Set . is_empty  vs  | |  fail  " unbound ghost: {%a} "  Var . Set . pp  vs  ()  )  ; 
       Var . Set . is_empty  vs  | |  fail  " unbound ghost: {%a} "  Var . Set . pp  vs  ()  )  ; 
 
			
		
	
		
		
			
				
					
					     assert  ( 
     assert  ( 
 
			
		
	
		
		
			
				
					
					       let  vs  =  Var . Set . ( diff  ( diff  post . us  xs)  pre0  . us )  in 
       let  vs  =  Var . Set . ( diff  ( diff  post . us  gs)  pre  . us )  in 
 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					       Var . Set . is_empty  vs  | |  fail  " unbound post: {%a} "  Var . Set . pp  vs  ()  ) ] 
       Var . Set . is_empty  vs  | |  fail  " unbound post: {%a} "  Var . Set . pp  vs  ()  ) ] 
 
			
		
	
		
		
			
				
					
					  ; 
  ; 
 
			
		
	
		
		
			
				
					
					  let  foot  =  Sh . extend_us  xs  foot  in 
  let +  frame  =  Solver . infer_frame  pre  gs  foot  in 
 
			
				
				
			
		
	
		
		
			
				
					
					  let  zs ,  pre  =  Sh . bind_exists  pre0  ~ wrt : xs  in 
  Sh . exists  ( Var . Set . union  xs  gs ) 
 
			
				
				
			
		
	
		
		
			
				
					
					  let +  frame  =  Solver . infer_frame  pre  xs  foot  in 
 
			
		
	
		
		
			
				
					
					  Sh . exists  ( Var . Set . union  zs  xs ) 
 
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					    ( Sh . star  post  ( Sh . exists  ms  ( Sh . rename  sub  frame ) ) ) ) 
    ( Sh . star  post  ( Sh . exists  ms  ( Sh . rename  sub  frame ) ) ) ) 
 
			
		
	
		
		
			
				
					
					  | > 
  | > 
 
			
		
	
		
		
			
				
					
					  [ % Trace . retn  fun  { pf }  r  -> 
  [ % Trace . retn  fun  { pf }  r  -> 
 
			
		
	
		
		
			
				
					
					    pf  " %a "  ( Option . pp  " %a "  Sh . pp )  r  ; 
    pf  " %a "  ( Option . pp  " %a "  Sh . pp )  r  ; 
 
			
		
	
		
		
			
				
					
					    assert  ( Option . for_all  ~ f : ( check_preserve_us  pre0 )  r ) ] 
    assert  ( Option . for_all  ~ f : ( check_preserve_us  ( Sh . exists  xs  pre ) )  r ) ] 
 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					
 
			
		
	
		
		
			
				
					
					let  exec_spec  ( pre  :  Sh . t )  spec  = (*  execute a command with given spec from pre  *)  
			
				
				
			
		
	
		
		
			
				
					
					  exec_spec_  pre  ( Fresh . gen  ~ wrt : pre . us  spec ) 
let  exec_spec  pre  specm  =  
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					  let  xs ,  pre  =  Sh . bind_exists  pre  ~ wrt : Var . Set . empty  in 
 
			
		
	
		
		
			
				
					
					  exec_spec_  ( xs ,  pre )  ( gen_spec  pre . us  specm ) 
 
			
		
	
		
		
			
				
					
					
 
			
		
	
		
		
			
				
					
					(*  execute a multiple-spec command, where the disjunction of the specs (*  execute a multiple-spec command, where the disjunction of the specs  
			
		
	
		
		
			
				
					
					   preconditions  are  known  to  be  tautologous  * ) 
   preconditions  are  known  to  be  tautologous  * ) 
 
			
		
	
		
		
			
				
					
					let  rec  exec_specs  ( pre  :  Sh . t )  =  function let  exec_specs  pre  =  
			
				
				
			
		
	
		
		
			
				
					
					  |  specm  ::  specs  -> 
  let  xs ,  pre  =  Sh . bind_exists  pre  ~ wrt : Var . Set . empty  in 
 
			
				
				
			
		
	
		
		
			
				
					
					      let  xs ,  spec  =  Fresh . gen  ~ wrt : pre . us  specm  in 
  let  rec  exec_specs_  ( xs ,  pre )  =  function 
 
			
				
				
			
		
	
		
		
			
				
					
					      let  foot  =  Sh . extend_us  xs  spec . foot  in 
    |  specm  ::  specs  -> 
 
			
				
				
			
		
	
		
		
			
				
					
					      let  pre_pure  =  Sh . star  ( Sh . exists  xs  ( Sh . pure_approx  foot ) )  pre  in 
        let  gs ,  spec  =  gen_spec  pre . Sh . us  specm  in 
 
			
				
				
			
		
	
		
		
			
				
					
					      let *  post  =  exec_spec_  pre_pure  ( xs ,  spec )  in 
        let  pre_pure  =  Sh . ( star  ( exists  gs  ( pure_approx  spec . foot ) )  pre )  in 
 
			
				
				
			
		
	
		
		
			
				
					
					      let +  posts  =  exec_specs  pre  specs  in 
        let *  post  =  exec_spec_  ( xs ,  pre_pure )  ( gs ,  spec )  in 
 
			
				
				
			
		
	
		
		
			
				
					
					      Sh . or_  post  posts 
        let +  posts  =  exec_specs_  ( xs ,  pre )  specs  in 
 
			
				
				
			
		
	
		
		
			
				
					
					  |  []  ->  Some  ( Sh . false_  pre . us ) 
        Sh . or_  post  posts 
 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
	
		
		
	
		
		
	
		
		
	
		
		
	
		
		
	
		
		
	
		
		
			
				
					
					    |  []  ->  Some  ( Sh . false_  pre . us ) 
 
			
		
	
		
		
			
				
					
					  in 
 
			
		
	
		
		
			
				
					
					  exec_specs_  ( xs ,  pre ) 
 
			
		
	
		
		
			
				
					
					
 
			
		
	
		
		
			
				
					
					let  exec_specs  pre  specs  = let  exec_specs  pre  specs  =  
			
		
	
		
		
			
				
					
					  [ % Trace . call  fun  _  ->  () ] 
  [ % Trace . call  fun  _  ->  () ]