%% PVS Version 3.1 %% 6.2 [Linux (x86)] (Feb 14, 2003 18:46) $$$pvs-strategies (load "manip-strategies") $$$Invariant.pvs Invariant % [ parameters ] : THEORY BEGIN % ASSUMING % assuming declarations % ENDASSUMING lib : LIBRARY = "/home/serena/PVS-Libraries/Manip-1.1/" IMPORTING wcs2 n:VAR nat r: VAR Runs v_at_control :LEMMA %PROVED events(r)(n)=control IMPLIES v(states(r)(n))=v_c(states(r)(n))+a_c(states(r)(n))*T y_at_control : LEMMA % %PROVED events(r)(n)=control IMPLIES y(states(r)(n))=y_c(states(r)(n))+ v_c(states(r)(n))*T+a_c(states(r)(n))*(T*T)/2 + w(states(r)(n))*T v: VAR nonneg_real Safety_property_ex: LEMMA y_c(states(r)(n))=T*w_1(states(r)(n))+T*w_2(states(r)(n))/2 AND a_c(states(r)(n))=K*T*(w_1(states(r)(n))-w_2(states(r)(n))) AND v_c(states(r)(n))=-w_2(states(r)(n)) AND y(states(r)(n))<=3/2*M*T AND y(states(r)(n))>=(-3/2)*M*T %used Safety_property_ex: LEMMA and command cross-mult, assert conclude. Correctness: LEMMA T<=2/M IMPLIES y(states(r)(n))<=3 AND y(states(r)(n))>=-3 END Invariant $$$Invariant.prf (Invariant (v_at_control 0 (v_at_control-1 nil 3285487594 3293363471 ("" (induct "n") (("1" (skosimp*) (("1" (assert) (("1" (typepred "r!1") (("1" (grind) nil nil)) nil)) nil)) nil) ("2" (skosimp*) (("2" (typepred "r!1") (("2" (expand "PreEffectOK") (("2" (hide -1) (("2" (inst-cp -1 "j!1") (("2" (inst -1 "j!1+1") (("2" (flatten) (("2" (case "events(r!1)(j!1)=control") (("1" (grind) nil nil) ("2" (case "events(r!1)(j!1)=delay(T - c(states(r!1)(j!1)))") (("1" (grind) nil nil) ("2" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) proved ((delay? adt-recognizer-decl "[W_C_S_Actions -> boolean]" W_C_S_Actions_adt nil) (delay adt-constructor-decl "[Time -> (delay?)]" W_C_S_Actions_adt nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (pre_x const-decl "bool" wcs2 nil) (K const-decl "real" wcs2 nil) (NOT const-decl "[bool -> bool]" booleans nil) (nat_induction formula-decl nil naturalnumbers nil) (T const-decl "PosTime" wcs2 nil) (* const-decl "[numfield, numfield -> numfield]" number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (control adt-constructor-decl "(control?)" W_C_S_Actions_adt nil) (control? adt-recognizer-decl "[W_C_S_Actions -> boolean]" W_C_S_Actions_adt nil) (= const-decl "[T, T -> boolean]" equalities nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (Runs type-eq-decl nil runs nil) (PreEffectOK const-decl "bool" runs nil) (PreRuns type-eq-decl nil runs nil) (now const-decl "Time" wcs2 nil) (W_C_S_Effect const-decl "bool" wcs2 nil) (W_C_S_Pre const-decl "bool" wcs2 nil) (Init_State const-decl "bool" wcs2 nil) (W_C_S_States type-eq-decl nil wcs2 nil) (M_int type-eq-decl nil wcs2 nil) (sequence type-eq-decl nil sequences nil) (PosTime type-eq-decl nil wcs2 nil) (Time nonempty-type-eq-decl nil wcs2 nil) (/= const-decl "boolean" notequal nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (every adt-def-decl "boolean" W_C_S_Actions_adt nil) (PRED type-eq-decl nil defined_types nil) (W_C_S_Actions type-decl nil W_C_S_Actions_adt nil) (pred type-eq-decl nil defined_types nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) 158809 34500 t nil)) (y_at_control 0 (y_at_control-1 nil 3285487538 3292336355 ("" (induct "n") (("1" (skosimp*) (("1" (typepred "r!1") (("1" (expand "PreEffectOK") (("1" (inst?) (("1" (expand "W_C_S_Pre") (("1" (expand "W_C_S_Effect") (("1" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (skosimp*) (("2" (inst?) (("2" (typepred "r!1") (("2" (expand "PreEffectOK") (("2" (inst-cp -2 "j!1+1") (("2" (flatten) (("2" (inst -2 "j!1") (("2" (flatten) (("2" (case "events(r!1)(j!1)=delay(T-c(states(r!1)(j!1)))") (("1" (hide -2) (("1" (replace -1 -3 lr) (("1" (expand "W_C_S_Effect") (("1" (replace -7 -4 lr) (("1" (expand "W_C_S_Pre") (("1" (grind) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -1) (("2" (replace -6 -3 lr) (("2" (expand "W_C_S_Pre") (("2" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) unchecked ((number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (pred type-eq-decl nil defined_types nil) (W_C_S_Actions type-decl nil W_C_S_Actions_adt nil) (PRED type-eq-decl nil defined_types nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (/= const-decl "boolean" notequal nil) (Time nonempty-type-eq-decl nil wcs2 nil) (PosTime type-eq-decl nil wcs2 nil) (sequence type-eq-decl nil sequences nil) (M_int type-eq-decl nil wcs2 nil) (W_C_S_States type-eq-decl nil wcs2 nil) (Init_State const-decl "bool" wcs2 nil) (W_C_S_Pre const-decl "bool" wcs2 nil) (W_C_S_Effect const-decl "bool" wcs2 nil) (now const-decl "Time" wcs2 nil) (PreRuns type-eq-decl nil runs nil) (PreEffectOK const-decl "bool" runs nil) (Runs type-eq-decl nil runs nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (= const-decl "[T, T -> boolean]" equalities nil) (control? adt-recognizer-decl "[W_C_S_Actions -> boolean]" W_C_S_Actions_adt nil) (control adt-constructor-decl "(control?)" W_C_S_Actions_adt nil) (numfield nonempty-type-eq-decl nil number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (* const-decl "[numfield, numfield -> numfield]" number_fields nil) (T const-decl "PosTime" wcs2 nil) (nznum nonempty-type-eq-decl nil number_fields nil) (/ const-decl "[numfield, nznum -> numfield]" number_fields nil) (nat_induction formula-decl nil naturalnumbers nil) (NOT const-decl "[bool -> bool]" booleans nil) (K const-decl "real" wcs2 nil) (pre_x const-decl "bool" wcs2 nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (delay adt-constructor-decl "[Time -> (delay?)]" W_C_S_Actions_adt nil) (delay? adt-recognizer-decl "[W_C_S_Actions -> boolean]" W_C_S_Actions_adt nil)) 41767 38870 t nil)) (Safety_property_ex 0 (Safety_property_ex-4 nil 3285659127 3293354931 ("" (induct "n") (("1" (skosimp*) (("1" (typepred "r!1") (("1" (expand "Init_State") (("1" (grind) (("1" (mult-cases 1) nil nil)) nil)) nil)) nil)) nil) ("2" (skosimp*) (("2" (assert) (("2" (inst?) (("2" (flatten) (("2" (typepred "r!1") (("2" (hide -1) (("2" (expand "PreEffectOK") (("2" (inst?) (("2" (flatten) (("2" (hide -1) (("2" (case "events(r!1)(j!1)=control") (("1" (replace -1 -2 lr) (("1" (lemma "y_at_control") (("1" (inst -1 "j!1" "r!1") (("1" (split 1) (("1" (grind) nil nil) ("2" (grind) nil nil) ("3" (lemma "v_at_control") (("3" (inst -1 "j!1" "r!1") (("3" (grind) nil nil)) nil)) nil) ("4" (grind) nil nil) ("5" (grind) nil nil)) nil)) nil)) nil)) nil) ("2" (reveal -1) (("2" (expand "W_C_S_Effect") (("2" (assert) (("2" (flatten) (("2" (assert) (("2" (hide-all-but (-1 -3 -13 -14 -15 1 2)) (("2" (equate "y_c(states(r!1)(j!1)) + (a_c(states(r!1)(j!1)) * c(states(r!1)(j!1)) * c(states(r!1)(j!1)) + 2 * (a_c(states(r!1)(j!1)) * c(states(r!1)(j!1)) * t(events(r!1)(j!1))) + a_c(states(r!1)(j!1)) * t(events(r!1)(j!1)) * t(events(r!1)(j!1))) / 2 + c(states(r!1)(j!1)) * v_c(states(r!1)(j!1)) + c(states(r!1)(j!1)) * w(states(r!1)(j!1)) + v_c(states(r!1)(j!1)) * t(events(r!1)(j!1)) + w(states(r!1)(j!1)) * t(events(r!1)(j!1))" "y_c(states(r!1)(j!1)) + v_c(states(r!1)(j!1)) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + a_c(states(r!1)(j!1)) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) / 2 + w(states(r!1)(j!1)) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (replace -3 -2 lr) (("1" (replace -4 -2 lr) (("1" (replace -5 -2 lr) (("1" (hide -3 -4 -5) (("1" (equate "T * w_2(states(r!1)(j!1)) / 2 + T * w_1(states(r!1)(j!1)) + -w_2(states(r!1)(j!1)) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (w_1(states(r!1)(j!1)) * K * T - w_2(states(r!1)(j!1)) * K * T) * ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / 2" " w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + w_1(states(r!1)(j!1)) * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))") (("1" (name "add1" " w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + w_1(states(r!1)(j!1)) * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + w(states(r!1)(j!1)) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (claim "((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) >=0") (("1" (claim "(T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))>=0") (("1" (reveal -19) (("1" (inst -1 "j!1") (("1" (flatten) (("1" (split 2) (("1" (claim "w(states(r!1)(j!1))<=M") (("1" (claim "w_1(states(r!1)(j!1))<=M") (("1" (claim "w_2(states(r!1)(j!1))<=M") (("1" (mult-by -3 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" +) (("1" (transform-both -1 "%1*((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))") (("1" (transform-both -3 "%1 * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))") (("1" (transform-both -5 "%1*(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (claim "y(states(r!1)(1 + j!1)) <= M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))+ M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) +M * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) ") (("1" (factor! (! -1 r)) (("1" (assert) nil nil)) nil) ("2" (hide -4 -5 -6 -10) (("2" (claim "w(states(r!1)(j!1)) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + w_1(states(r!1)(j!1)) * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))<= M * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) ") (("1" (hide -2 -3 -4 -5) (("1" (grind) nil nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil) ("2" (cancel *) nil nil)) nil) ("2" (cancel *) nil nil)) nil) ("2" (cancel *) nil nil)) nil)) nil) ("2" (grind) nil nil)) nil) ("2" (ground) nil nil)) nil) ("2" (ground) nil nil)) nil) ("2" (claim " w(states(r!1)(j!1))>=-M") (("1" (claim "w_1(states(r!1)(j!1))>=-M") (("1" (claim " w_2(states(r!1)(j!1))>=-M") (("1" (mult-by -3 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" +) (("1" (transform-both -1 "%1*((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))") (("1" (transform-both -3 "%1 * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))") (("1" (transform-both -5 "%1*(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (claim "y(states(r!1)(1 + j!1)) >= (-M) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))+ (-M) * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) +(-M) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) ") (("1" (factor! (! -1 r)) (("1" (assert) nil nil)) nil) ("2" (hide -4 -5 -6 -10) (("2" (claim "w(states(r!1)(j!1)) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + w_1(states(r!1)(j!1)) * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))>= (-M) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (-M) * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + (- M) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) ") (("1" (hide -2 -3 -4 -5) (("1" (grind) nil nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil) ("2" (cancel *) nil nil)) nil) ("2" (cancel *) nil nil)) nil) ("2" (cancel *) nil nil)) nil)) nil) ("2" (ground) nil nil)) nil) ("2" (ground) nil nil)) nil) ("2" (ground) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -1 -2 -4 3) (("2" (equate "T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) / (2 * T))" "( 2*T*T-(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) )/(2*T)") (("1" (cross-mult 1) (("1" (expand "W_C_S_Pre") (("1" (expand "pre_x") (("1" (equate " c(states(r!1)(j!1)) + t(events(r!1)(j!1)) " "(c(states(r!1)(j!1)) + t(events(r!1)(j!1)))") (("1" (transform-both -1 "%1 * (c(states(r!1)(j!1)) + t(events(r!1)(j!1) ) )") (("1" (transform-both -2 "T* %1") (("1" (assert) nil nil) ("2" (cancel *) nil nil)) nil) ("2" (cancel *) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil) ("2" (hide -1 -3 3) (("2" (expand "W_C_S_Pre") (("2" (expand "pre_x") (("2" (equate "(T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))))" " (T-(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))))* (T-(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))))") (("1" (cross-mult 1) (("1" (lemma "pos_times_le") (("1" (inst -1 "(T - (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))))" "(T - (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))))") (("1" (flatten) (("1" (grind) nil nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (grind) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) proved ((number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (pred type-eq-decl nil defined_types nil) (W_C_S_Actions type-decl nil W_C_S_Actions_adt nil) (PRED type-eq-decl nil defined_types nil) (every adt-def-decl "boolean" W_C_S_Actions_adt nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (/= const-decl "boolean" notequal nil) (Time nonempty-type-eq-decl nil wcs2 nil) (PosTime type-eq-decl nil wcs2 nil) (sequence type-eq-decl nil sequences nil) (M_int type-eq-decl nil wcs2 nil) (W_C_S_States type-eq-decl nil wcs2 nil) (Init_State const-decl "bool" wcs2 nil) (W_C_S_Pre const-decl "bool" wcs2 nil) (W_C_S_Effect const-decl "bool" wcs2 nil) (now const-decl "Time" wcs2 nil) (PreRuns type-eq-decl nil runs nil) (PreEffectOK const-decl "bool" runs nil) (Runs type-eq-decl nil runs nil) (= const-decl "[T, T -> boolean]" equalities nil) (numfield nonempty-type-eq-decl nil number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (* const-decl "[numfield, numfield -> numfield]" number_fields nil) (T const-decl "PosTime" wcs2 nil) (nznum nonempty-type-eq-decl nil number_fields nil) (/ const-decl "[numfield, nznum -> numfield]" number_fields nil) (K const-decl "real" wcs2 nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (- const-decl "[numfield -> numfield]" number_fields nil) (<= const-decl "bool" reals nil) (nonneg_real nonempty-type-eq-decl nil real_types nil) (> const-decl "bool" reals nil) (posreal nonempty-type-eq-decl nil real_types nil) (M const-decl "posreal" wcs2 nil) (nat_induction formula-decl nil naturalnumbers nil) (NOT const-decl "[bool -> bool]" booleans nil) (pre_x const-decl "bool" wcs2 nil) (neg_times_ge formula-decl nil real_props nil) (t adt-accessor-decl "[(delay?) -> Time]" W_C_S_Actions_adt nil) (delay? adt-recognizer-decl "[W_C_S_Actions -> boolean]" W_C_S_Actions_adt nil) (pos_times_le formula-decl nil real_props nil) (both_sides_times_pos_le1 formula-decl nil real_props nil) (nnreal type-eq-decl nil real_types nil) (both_sides_times_pos_ge1 formula-decl nil real_props nil) (nzreal nonempty-type-eq-decl nil reals nil) (both_sides_times_pos_le2 formula-decl nil real_props nil) (div_mult_pos_ge1 formula-decl nil real_props nil) (v_at_control formula-decl nil Invariant nil) (y_at_control formula-decl nil Invariant nil) (control adt-constructor-decl "(control?)" W_C_S_Actions_adt nil) (control? adt-recognizer-decl "[W_C_S_Actions -> boolean]" W_C_S_Actions_adt nil)) 229507 106830 t nil) (Safety_property_ex-3 nil 3276243681 3276534932 ("" (induct "n") (("1" (skosimp*) (("1" (assert) (("1" (assert) (("1" (typepred "r!1") (("1" (hide -2 -3 -4) (("1" (expand "Init_State") (("1" (grind) (("1" (lemma "neg_times_le") (("1" (inst -1 "M*T" "-3/2") (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (skosimp*) (("2" (assert) (("2" (case "events(r!1)(j!1)=control") (("1" (lemma "inv_2") (("1" (inst -1 "j!1" "r!1") (("1" (assert) (("1" (assert) (("1" (inst?) (("1" (assert) (("1" (flatten) (("1" (split 1) (("1" (lemma "inv_7") (("1" (inst -1 "j!1" "r!1") (("1" (assert) (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (swap "-w_2(states(r!1)(j!1)) * T" + "w(states(r!1)(j!1)) * T" -1 l) (("1" (typepred "r!1") (("1" (hide -1 -3 -4) (("1" (expand "PreEffectOK") (("1" (inst -1 "j!1") (("1" (flatten) (("1" (hide -1) (("1" (replace -5 -1 lr) (("1" (expand "W_C_S_Effect") (("1" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) (("2" (lemma "inv_8") (("2" (inst?) (("2" (assert) (("2" (swap "y(states(r!1)(j!1)) * K - a_c(states(r!1)(j!1)) / 2" + " - y_c(states(r!1)(j!1)) * K") (("2" (lemma "associative_add") (("2" (inst -1 "-y_c(states(r!1)(j!1)) * K" "y(states(r!1)(j!1)) * K" "- a_c(states(r!1)(j!1)) / 2") (("2" (lemma " minus_add") (("2" (inst -1 "y(states(r!1)(j!1)) * K" "a_c(states(r!1)(j!1)) / 2") (("2" (replace -1 -2 rl) (("2" (replace -2 -3 lr) (("2" (hide -1 -2) (("2" (lemma "inv_7") (("2" (inst -1 "j!1" "r!1") (("2" (assert) (("2" (replace -1 -2 lr) (("2" (hide -1) (("2" (lemma "minus_add") (("2" (inst -1 " -a_c(states(r!1)(j!1)) / 2 + (y_c(states(r!1)(j!1)) + a_c(states(r!1)(j!1)) * (T * T) / 2 + v_c(states(r!1)(j!1)) * T + w(states(r!1)(j!1)) * T) * K" "y_c(states(r!1)(j!1)) * K") (("2" (replace -1 -2 rl) (("2" (hide -1) (("2" (assert) (("2" (expand "K") (("2" (equate "(T * T) / 2 * (-1 / (T * T))" "-1/2") (("1" (assert) (("1" (hide -5) (("1" (replace -6 -2 lr) (("1" (hide -6) (("1" (replace -5 -2 lr) (("1" (hide -5) (("1" (hide -5 -6) (("1" (grind) (("1" (typepred "r!1") (("1" (hide -1 -3 -4) (("1" (expand "PreEffectOK") (("1" (inst?) (("1" (assert) (("1" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("3" (lemma "inv_10") (("3" (inst -1 "j!1" "r!1") (("3" (assert) (("3" (replace -6 -1 lr) (("3" (replace -5 -1 lr) (("3" (lemma "times_plus") (("3" (lemma "inv_11") (("3" (inst -2 "0" "w_1(states(r!1)(j!1)) * K * T " "- w_2(states(r!1)(j!1)) * K * T" "T") (("3" (lemma "real_0") (("3" (lemma "real_0") (("3" (inst -1 "T") (("3" (replace -1 -4 lr) (("3" (lemma "real_1") (("3" (inst -1 " w_1(states(r!1)(j!1)) * K * T" " w_2(states(r!1)(j!1)) * K * T") (("3" (replace -1 -5 lr) (("3" (lemma " zero_times2") (("3" (inst-cp -1 "w_1(states(r!1)(j!1)) * K * T") (("3" (hide -3) (("3" (inst -1 "-w_2(states(r!1)(j!1)) * K * T") (("3" (replace -1 -6 lr) (("3" (hide -1 -2) (("3" (lemma "identity_add") (("3" (inst-cp -1 "w_1(states(r!1)(j!1)) * K * T * T ") (("3" (replace -2 -6 lr) (("3" (inst -1 "w_1(states(r!1)(j!1)) * K * T * T + -w_2(states(r!1)(j!1)) * K * T * T") (("3" (hide -1 -2 -3 -4) (("3" (replace -2 -3 lr) (("3" (lemma "identity_add") (("3" (inst -1 "w_1(states(r!1)(j!1)) * K * T * T + -w_2(states(r!1)(j!1)) * K * T * T") (("3" (replace -1 -4 lr) (("3" (hide -1 -3) (("3" (lemma "inv_9") (("3" (inst -1 "j!1" "r!1") (("3" (split -1) (("1" (flatten) (("1" (replace -2 -4 rl) (("1" (hide -1 -2) (("1" (hide -8 -9 -7 -5 -6) (("1" (expand "K") (("1" (swap " -w_2(states(r!1)(j!1))" * "T * T" -2 l) (("1" (mult-by -1 " -1 / (T * T)") (("1" (lemma "inv_12") (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("4" (assert) (("4" (hide -4 -5 -6) (("4" (typepred "r!1") (("4" (hide -1 -3 -4) (("4" (expand "PreEffectOK") (("4" (assert) (("4" (inst?) (("4" (flatten) (("4" (hide -1) (("4" (expand "W_C_S_Effect") (("4" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("5" (typepred "r!1") (("5" (hide -1 -3 -4) (("5" (expand "PreEffectOK") (("5" (inst?) (("5" (flatten) (("5" (expand "W_C_S_Effect") (("5" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) (("2" (inst?) (("2" (case "delay?(events(r!1)(j!1))") (("1" (assert) (("1" (typepred "r!1") (("1" (hide -3 -4 -1) (("1" (expand "PreEffectOK") (("1" (inst?) (("1" (flatten) (("1" (hide -1) (("1" (expand "W_C_S_Effect") (("1" (hide 1) (("1" (split 1) (("1" (assert) nil nil) ("2" (assert) nil nil) ("3" (assert) nil nil) ("4" (assert) (("4" (lemma "inv_16") (("4" (inst -1 "j!1" "r!1") (("4" (split -1) (("1" (hide -2) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (hide -2 -3 -4) (("1" (lemma "alg_lemma_4") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" "w_1(states(r!1)(j!1))" "w_2(states(r!1)(j!1))") (("1" (replace -1 -2 lr) (("1" (reveal -2) (("1" (hide -2) (("1" (lemma "alg_lemma_5") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (lemma "alg_lemma6") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (lemma "inv_14") (("1" (inst?) (("1" (replace -4 -1 lr) (("1" (replace -1 -2 lr) (("1" (has-sign "c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)) " 0+) (("1" (lemma "inv_17") (("1" (lemma "inv_4") (("1" (lemma "inv_5") (("1" (inst?) (("1" (hide -8) (("1" (inst?) (("1" (inst?) (("1" (flatten) (("1" (lemma "alg_lemma_8 ") (("1" (inst -1 "M" "((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " w_2(states(r!1)(j!1))") (("1" (hide -3 -5 -7) (("1" (replace -2 -1 lr) (("1" (lemma "alg_lemma_8") (("1" (inst -1 "M" "(T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " w_1(states(r!1)(j!1)) ") (("1" (replace -4 -1 lr) (("1" (hide -3 -4) (("1" (lemma "alg_lemma_8") (("1" (inst -1 "M" " (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" " w(states(r!1)(j!1))") (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (lemma "le_plus_le") (("1" (hide -5 -6 -7 -8) (("1" (inst-cp -1 "M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w_1(states(r!1)(j!1))* (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))") (("1" (split -2) (("1" (hide -4 -5) (("1" (inst -2 "M * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" " w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + w_1(states(r!1)(j!1)) * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w(states(r!1)(j!1)) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (replace -1 -2 lr) (("1" (hide -1) (("1" (replace -2 -1 lr) (("1" (hide -2) (("1" (replace -2 -1 rl) (("1" (hide -2) (("1" (name "add1" "M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + M * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (factor -1 l *) (("1" (lemma "alg_lemma_7 ") (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (propax) nil nil) ("3" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (propax) nil nil)) nil)) nil)) nil)) nil) ("5" (assert) (("5" (lemma "inv_16") (("5" (inst -1 "j!1" "r!1") (("5" (split -1) (("1" (hide -2) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (hide -3 -4) (("1" (lemma "alg_lemma_4") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" "w_1(states(r!1)(j!1))" "w_2(states(r!1)(j!1))") (("1" (replace -1 -2 lr) (("1" (hide -1) (("1" (lemma "alg_lemma_5") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (lemma "alg_lemma6") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (lemma "inv_14") (("1" (inst?) (("1" (replace -5 -1 lr) (("1" (replace -1 -2 lr) (("1" (has-sign "c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)) " 0+) (("1" (lemma "inv_17") (("1" (lemma "inv_4") (("1" (lemma "inv_5") (("1" (inst?) (("1" (hide -9) (("1" (inst?) (("1" (inst?) (("1" (flatten) (("1" (lemma "alg_lemma_9") (("1" (inst -1 "((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " w_2(states(r!1)(j!1))" "-M") (("1" (hide -2 -4 -6) (("1" (replace -2 -1 lr) (("1" (lemma "alg_lemma_9") (("1" (inst-cp -1 "(T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " w_1(states(r!1)(j!1)) " "-M") (("1" (replace -5 -2 lr) (("1" (hide -4 -5) (("1" (inst -1 " (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" " w(states(r!1)(j!1))" "-M") (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (lemma "ge_plus_ge") (("1" (hide -5 -6 -7 -8) (("1" (inst-cp -1 "-M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " -M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w_1(states(r!1)(j!1))* (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))") (("1" (split -2) (("1" (hide -4 -5) (("1" (inst -2 "-M * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" " w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + w_1(states(r!1)(j!1)) * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "-M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + -M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w(states(r!1)(j!1)) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (replace -1 -2 lr) (("1" (replace -3 -2 lr) (("1" (hide -1) (("1" (name "add2" " -M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + -M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + -M * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (factor -1 l *) (("1" (lemma "alg_lemma_7") (("1" (inst?) (("1" (hide -4) (("1" (replace -4 -3 rl) (("1" (hide -4) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (propax) nil nil) ("3" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) unchecked ((control? adt-recognizer-decl "[W_C_S_Actions -> boolean]" W_C_S_Actions_adt nil) (control adt-constructor-decl "(control?)" W_C_S_Actions_adt nil) (associative_add formula-decl nil number_fields nil) (minus_add formula-decl nil number_fields nil) (times_plus formula-decl nil real_props nil) (zero_times2 formula-decl nil real_props nil) (identity_add formula-decl nil number_fields nil) (ge_plus_ge formula-decl nil real_props nil) (le_plus_le formula-decl nil real_props nil) (t adt-accessor-decl "[(delay?) -> Time]" W_C_S_Actions_adt nil) (delay? adt-recognizer-decl "[W_C_S_Actions -> boolean]" W_C_S_Actions_adt nil) (neg_times_le formula-decl nil real_props nil) (NOT const-decl "[bool -> bool]" booleans nil) (nat_induction formula-decl nil naturalnumbers nil) (M const-decl "posreal" wcs2 nil) (posreal nonempty-type-eq-decl nil real_types nil) (> const-decl "bool" reals nil) (nonneg_real nonempty-type-eq-decl nil real_types nil) (<= const-decl "bool" reals nil) (- const-decl "[numfield -> numfield]" number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (K const-decl "real" wcs2 nil) (/ const-decl "[numfield, nznum -> numfield]" number_fields nil) (nznum nonempty-type-eq-decl nil number_fields nil) (T const-decl "PosTime" wcs2 nil) (* const-decl "[numfield, numfield -> numfield]" number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (= const-decl "[T, T -> boolean]" equalities nil) (Runs type-eq-decl nil runs nil) (PreEffectOK const-decl "bool" runs nil) (PreRuns type-eq-decl nil runs nil) (now const-decl "Time" wcs2 nil) (W_C_S_Effect const-decl "bool" wcs2 nil) (W_C_S_Pre const-decl "bool" wcs2 nil) (Init_State const-decl "bool" wcs2 nil) (W_C_S_States type-eq-decl nil wcs2 nil) (M_int type-eq-decl nil wcs2 nil) (sequence type-eq-decl nil sequences nil) (PosTime type-eq-decl nil wcs2 nil) (Time nonempty-type-eq-decl nil wcs2 nil) (/= const-decl "boolean" notequal nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (PRED type-eq-decl nil defined_types nil) (W_C_S_Actions type-decl nil W_C_S_Actions_adt nil) (pred type-eq-decl nil defined_types nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) 511751 101230 t nil) (Safety_property_ex-2 nil 3276239707 nil ("" (induct "n") (("1" (skosimp*) (("1" (assert) (("1" (assert) (("1" (typepred "r!1") (("1" (hide -2 -3 -4) (("1" (expand "Init_State") (("1" (grind) (("1" (lemma "neg_times_le") (("1" (inst -1 "M*T" "-3/2") (("1" (assert) nil))))))))))))))))))) ("2" (skosimp*) (("2" (assert) (("2" (case "events(r!1)(j!1)=control") (("1" (lemma "inv_2") (("1" (inst -1 "j!1" "r!1") (("1" (assert) (("1" (assert) (("1" (inst?) (("1" (assert) (("1" (flatten) (("1" (split 1) (("1" (lemma "inv_7") (("1" (inst -1 "j!1" "r!1") (("1" (assert) (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (swap "-w_2(states(r!1)(j!1)) * T" + "w(states(r!1)(j!1)) * T" -1 l) (("1" (typepred "r!1") (("1" (hide -1 -3 -4) (("1" (expand "PreEffectOK") (("1" (inst -1 "j!1") (("1" (flatten) (("1" (hide -1) (("1" (replace -5 -1 lr) (("1" (expand "W_C_S_Effect") (("1" (grind) nil))))))))))))))))))))))))))))))))))))) ("2" (assert) (("2" (lemma "inv_8") (("2" (inst?) (("2" (assert) (("2" (swap "y(states(r!1)(j!1)) * K - a_c(states(r!1)(j!1)) / 2" + " - y_c(states(r!1)(j!1)) * K") (("2" (lemma "associative_add") (("2" (inst -1 "-y_c(states(r!1)(j!1)) * K" "y(states(r!1)(j!1)) * K" "- a_c(states(r!1)(j!1)) / 2") (("2" (lemma " minus_add") (("2" (inst -1 "y(states(r!1)(j!1)) * K" "a_c(states(r!1)(j!1)) / 2") (("2" (replace -1 -2 rl) (("2" (replace -2 -3 lr) (("2" (hide -1 -2) (("2" (lemma "inv_7") (("2" (inst -1 "j!1" "r!1") (("2" (assert) (("2" (replace -1 -2 lr) (("2" (hide -1) (("2" (lemma "minus_add") (("2" (inst -1 " -a_c(states(r!1)(j!1)) / 2 + (y_c(states(r!1)(j!1)) + a_c(states(r!1)(j!1)) * (T * T) / 2 + v_c(states(r!1)(j!1)) * T + w(states(r!1)(j!1)) * T) * K" "y_c(states(r!1)(j!1)) * K") (("2" (replace -1 -2 rl) (("2" (hide -1) (("2" (assert) (("2" (expand "K") (("2" (equate "(T * T) / 2 * (-1 / (T * T))" "-1/2") (("1" (assert) (("1" (hide -5) (("1" (replace -6 -2 lr) (("1" (hide -6) (("1" (replace -5 -2 lr) (("1" (hide -5) (("1" (hide -5 -6) (("1" (grind) (("1" (typepred "r!1") (("1" (hide -1 -3 -4) (("1" (expand "PreEffectOK") (("1" (inst?) (("1" (assert) (("1" (grind) nil))))))))))))))))))))))))))) ("2" (assert) nil))))))))))))))))))))))))))))))))))))))))))))))))) ("3" (lemma "inv_10") (("3" (inst -1 "j!1" "r!1") (("3" (assert) (("3" (replace -6 -1 lr) (("3" (replace -5 -1 lr) (("3" (lemma "times_plus") (("3" (lemma "inv_11") (("3" (inst -2 "0" "w_1(states(r!1)(j!1)) * K * T " "- w_2(states(r!1)(j!1)) * K * T" "T") (("3" (lemma "real_0") (("3" (lemma "real_0") (("3" (inst -1 "T") (("3" (replace -1 -4 lr) (("3" (lemma "real_1") (("3" (inst -1 " w_1(states(r!1)(j!1)) * K * T" " w_2(states(r!1)(j!1)) * K * T") (("3" (replace -1 -5 lr) (("3" (lemma " zero_times2") (("3" (inst-cp -1 "w_1(states(r!1)(j!1)) * K * T") (("3" (hide -3) (("3" (inst -1 "-w_2(states(r!1)(j!1)) * K * T") (("3" (replace -1 -6 lr) (("3" (hide -1 -2) (("3" (lemma "identity_add") (("3" (inst-cp -1 "w_1(states(r!1)(j!1)) * K * T * T ") (("3" (replace -2 -6 lr) (("3" (inst -1 "w_1(states(r!1)(j!1)) * K * T * T + -w_2(states(r!1)(j!1)) * K * T * T") (("3" (hide -1 -2 -3 -4) (("3" (replace -2 -3 lr) (("3" (lemma "identity_add") (("3" (inst -1 "w_1(states(r!1)(j!1)) * K * T * T + -w_2(states(r!1)(j!1)) * K * T * T") (("3" (replace -1 -4 lr) (("3" (hide -1 -3) (("3" (lemma "inv_9") (("3" (inst -1 "j!1" "r!1") (("3" (split -1) (("1" (flatten) (("1" (replace -2 -4 rl) (("1" (hide -1 -2) (("1" (hide -8 -9 -7 -5 -6) (("1" (expand "K") (("1" (swap " -w_2(states(r!1)(j!1))" * "T * T" -2 l) (("1" (mult-by -1 " -1 / (T * T)") (("1" (lemma "inv_12") (("1" (inst?) (("1" (assert) nil))))))))))))))))))) ("2" (propax) nil))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ("4" (assert) (("4" (hide -4 -5 -6) (("4" (typepred "r!1") (("4" (hide -1 -3 -4) (("4" (expand "PreEffectOK") (("4" (assert) (("4" (inst?) (("4" (flatten) (("4" (hide -1) (("4" (expand "W_C_S_Effect") (("4" (propax) nil))))))))))))))))))))) ("5" (typepred "r!1") (("5" (hide -1 -3 -4) (("5" (expand "PreEffectOK") (("5" (inst?) (("5" (flatten) (("5" (expand "W_C_S_Effect") (("5" (grind) nil))))))))))))))))))))))))))))) ("2" (assert) (("2" (inst?) (("2" (case "delay?(events(r!1)(j!1))") (("1" (assert) (("1" (typepred "r!1") (("1" (hide -3 -4 -1) (("1" (expand "PreEffectOK") (("1" (inst?) (("1" (flatten) (("1" (hide -1) (("1" (expand "W_C_S_Effect") (("1" (hide 1) (("1" (split 1) (("1" (assert) nil) ("2" (assert) nil) ("3" (assert) nil) ("4" (assert) (("4" (lemma "inv_16") (("4" (inst -1 "j!1" "r!1") (("4" (split -1) (("1" (hide -2) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (hide -2 -3 -4) (("1" (lemma "alg_lemma_4") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" "w_1(states(r!1)(j!1))" "w_2(states(r!1)(j!1))") (("1" (replace -1 -2 lr) (("1" (reveal -2) (("1" (hide -2) (("1" (lemma "alg_lemma_5") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (lemma "alg_lemma6") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (lemma "inv_14") (("1" (inst?) (("1" (replace -4 -1 lr) (("1" (replace -1 -2 lr) (("1" (has-sign "c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)) " 0+) (("1" (lemma "inv_17") (("1" (lemma "inv_4") (("1" (lemma "inv_5") (("1" (inst?) (("1" (hide -8) (("1" (inst?) (("1" (inst?) (("1" (flatten) (("1" (lemma "alg_lemma_8 ") (("1" (inst -1 "M" "((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " w_2(states(r!1)(j!1))") (("1" (hide -3 -5 -7) (("1" (replace -2 -1 lr) (("1" (lemma "alg_lemma_8") (("1" (inst -1 "M" "(T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " w_1(states(r!1)(j!1)) ") (("1" (replace -4 -1 lr) (("1" (hide -3 -4) (("1" (lemma "alg_lemma_8") (("1" (inst -1 "M" " (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" " w(states(r!1)(j!1))") (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (lemma "le_plus_le") (("1" (hide -5 -6 -7 -8) (("1" (inst-cp -1 "M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w_1(states(r!1)(j!1))* (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))") (("1" (split -2) (("1" (hide -4 -5) (("1" (inst -2 "M * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" " w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + w_1(states(r!1)(j!1)) * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w(states(r!1)(j!1)) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (replace -1 -2 lr) (("1" (hide -1) (("1" (replace -2 -1 lr) (("1" (hide -2) (("1" (replace -2 -1 rl) (("1" (hide -2) (("1" (name "add1" "M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + M * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (factor -1 l *) (("1" (lemma "alg_lemma_7 ") (("1" (inst?) (("1" (assert) nil))))))))))))))))))))))))) ("2" (propax) nil) ("3" (propax) nil))))))))))))))))))))) ("2" (assert) nil))))))))) ("2" (assert) nil))))))))))))))))))))) ("2" (assert) nil))))))))))))))))))))))))))))))))))))))))))))) ("2" (propax) nil))))))))) ("5" (postpone) nil))))))))))))))))))))) ("2" (assert) nil)))))))))))))) nil) unchecked nil nil nil nil nil) (Safety_property_ex-1 nil 3275980943 3276079596 ("" (induct "n") (("1" (skosimp*) (("1" (assert) (("1" (assert) (("1" (typepred "r!1") (("1" (hide -2 -3 -4) (("1" (expand "Init_State") (("1" (grind) (("1" (lemma "neg_times_le") (("1" (inst -1 "M*T" "-3/2") (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (skosimp*) (("2" (assert) (("2" (case "events(r!1)(j!1)=control") (("1" (lemma "inv_2") (("1" (inst -1 "j!1" "r!1") (("1" (assert) (("1" (assert) (("1" (inst?) (("1" (assert) (("1" (flatten) (("1" (split 1) (("1" (lemma "inv_7") (("1" (inst -1 "j!1" "r!1") (("1" (assert) (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (swap "-w_2(states(r!1)(j!1)) * T" + "w(states(r!1)(j!1)) * T" -1 l) (("1" (typepred "r!1") (("1" (hide -1 -3 -4) (("1" (expand "PreEffectOK") (("1" (inst -1 "j!1") (("1" (flatten) (("1" (hide -1) (("1" (replace -5 -1 lr) (("1" (expand "W_C_S_Effect") (("1" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) (("2" (lemma "inv_8") (("2" (inst?) (("2" (assert) (("2" (swap "y(states(r!1)(j!1)) * K - a_c(states(r!1)(j!1)) / 2" + " - y_c(states(r!1)(j!1)) * K") (("2" (lemma "associative_add") (("2" (inst -1 "-y_c(states(r!1)(j!1)) * K" "y(states(r!1)(j!1)) * K" "- a_c(states(r!1)(j!1)) / 2") (("2" (lemma " minus_add") (("2" (inst -1 "y(states(r!1)(j!1)) * K" "a_c(states(r!1)(j!1)) / 2") (("2" (replace -1 -2 rl) (("2" (replace -2 -3 lr) (("2" (hide -1 -2) (("2" (lemma "inv_7") (("2" (inst -1 "j!1" "r!1") (("2" (assert) (("2" (replace -1 -2 lr) (("2" (hide -1) (("2" (lemma "minus_add") (("2" (inst -1 " -a_c(states(r!1)(j!1)) / 2 + (y_c(states(r!1)(j!1)) + a_c(states(r!1)(j!1)) * (T * T) / 2 + v_c(states(r!1)(j!1)) * T + w(states(r!1)(j!1)) * T) * K" "y_c(states(r!1)(j!1)) * K") (("2" (replace -1 -2 rl) (("2" (hide -1) (("2" (assert) (("2" (expand "K") (("2" (equate "(T * T) / 2 * (-1 / (T * T))" "-1/2") (("1" (assert) (("1" (hide -5) (("1" (replace -6 -2 lr) (("1" (hide -6) (("1" (replace -5 -2 lr) (("1" (hide -5) (("1" (hide -5 -6) (("1" (grind) (("1" (typepred "r!1") (("1" (hide -1 -3 -4) (("1" (expand "PreEffectOK") (("1" (inst?) (("1" (assert) (("1" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("3" (lemma "inv_10") (("3" (inst -1 "j!1" "r!1") (("3" (assert) (("3" (replace -6 -1 lr) (("3" (replace -5 -1 lr) (("3" (lemma "times_plus") (("3" (lemma "inv_11") (("3" (inst -2 "0" "w_1(states(r!1)(j!1)) * K * T " "- w_2(states(r!1)(j!1)) * K * T" "T") (("3" (lemma "real_0") (("3" (lemma "real_0") (("3" (inst -1 "T") (("3" (replace -1 -4 lr) (("3" (lemma "real_1") (("3" (inst -1 " w_1(states(r!1)(j!1)) * K * T" " w_2(states(r!1)(j!1)) * K * T") (("3" (replace -1 -5 lr) (("3" (lemma " zero_times2") (("3" (inst-cp -1 "w_1(states(r!1)(j!1)) * K * T") (("3" (hide -3) (("3" (inst -1 "-w_2(states(r!1)(j!1)) * K * T") (("3" (replace -1 -6 lr) (("3" (hide -1 -2) (("3" (lemma "identity_add") (("3" (inst-cp -1 "w_1(states(r!1)(j!1)) * K * T * T ") (("3" (replace -2 -6 lr) (("3" (inst -1 "w_1(states(r!1)(j!1)) * K * T * T + -w_2(states(r!1)(j!1)) * K * T * T") (("3" (hide -1 -2 -3 -4) (("3" (replace -2 -3 lr) (("3" (lemma "identity_add") (("3" (inst -1 "w_1(states(r!1)(j!1)) * K * T * T + -w_2(states(r!1)(j!1)) * K * T * T") (("3" (replace -1 -4 lr) (("3" (hide -1 -3) (("3" (lemma "inv_9") (("3" (inst -1 "j!1" "r!1") (("3" (split -1) (("1" (flatten) (("1" (replace -2 -4 rl) (("1" (hide -1 -2) (("1" (hide -8 -9 -7 -5 -6) (("1" (expand "K") (("1" (swap " -w_2(states(r!1)(j!1))" * "T * T" -2 l) (("1" (mult-by -1 " -1 / (T * T)") (("1" (lemma "inv_12") (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("4" (assert) (("4" (hide -4 -5 -6) (("4" (typepred "r!1") (("4" (hide -1 -3 -4) (("4" (expand "PreEffectOK") (("4" (assert) (("4" (inst?) (("4" (flatten) (("4" (hide -1) (("4" (expand "W_C_S_Effect") (("4" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("5" (typepred "r!1") (("5" (hide -1 -3 -4) (("5" (expand "PreEffectOK") (("5" (inst?) (("5" (flatten) (("5" (expand "W_C_S_Effect") (("5" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) (("2" (inst?) (("2" (case "delay?(events(r!1)(j!1))") (("1" (assert) (("1" (typepred "r!1") (("1" (hide -3 -4 -1) (("1" (expand "PreEffectOK") (("1" (inst?) (("1" (flatten) (("1" (hide -1) (("1" (expand "W_C_S_Effect") (("1" (hide 1) (("1" (split 1) (("1" (assert) nil nil) ("2" (assert) nil nil) ("3" (assert) nil nil) ("4" (assert) (("4" (lemma "inv_16") (("4" (inst -1 "j!1" "r!1") (("4" (split -1) (("1" (hide -2) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (replace -3 -1 lr) (("1" (hide -3) (("1" (hide -2 -3 -4) (("1" (lemma "alg_lemma_4") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" "w_1(states(r!1)(j!1))" "w_2(states(r!1)(j!1))") (("1" (replace -1 -2 lr) (("1" (reveal -2) (("1" (hide -2) (("1" (lemma "alg_lemma_5") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (lemma "alg_lemma6") (("1" (inst -1 "(c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (lemma "inv_14") (("1" (inst?) (("1" (replace -4 -1 lr) (("1" (replace -1 -2 lr) (("1" (has-sign "c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)) " 0+) (("1" (lemma "inv_17") (("1" (lemma "inv_4") (("1" (lemma "inv_5") (("1" (inst?) (("1" (hide -8) (("1" (inst?) (("1" (inst?) (("1" (flatten) (("1" (lemma "both_sides_times_pos_le1") (("1" (hide -3 -5 -7) (("1" (inst -1 "((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " w_2(states(r!1)(j!1))" "M") (("1" (flatten) (("1" (hide -1) (("1" (lemma "both_sides_times_pos_le1") (("1" (inst -1 "(T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " w_1(states(r!1)(j!1)) " "M") (("1" (flatten) (("1" (hide -1) (("1" (replace -4 -1 lr) (("1" (replace -3 -2 lr) (("1" (hide -3 -4) (("1" (lemma "both_sides_times_pos_le1") (("1" (inst -1 " (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" " w(states(r!1)(j!1))" "M") (("1" (flatten) (("1" (hide -1) (("1" (replace -4 -1 lr) (("1" (hide -4) (("1" (lemma "le_plus_le") (("1" (hide -5 -6 -7 -8) (("1" (inst-cp -1 "M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" " M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w_1(states(r!1)(j!1))* (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))") (("1" (split -2) (("1" (hide -4 -5) (("1" (inst -2 "M * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))" " w_2(states(r!1)(j!1)) * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + w_1(states(r!1)(j!1)) * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T))" "w(states(r!1)(j!1)) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (replace -1 -2 lr) (("1" (hide -1) (("1" (replace -2 -1 lr) (("1" (hide -2) (("1" (replace -2 -1 rl) (("1" (hide -2) (("1" (name "add1" "M * ((T * T - 2 * T * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) + (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + M * (T - ((c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1))) * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))) / (2 * T)) + M * (c(states(r!1)(j!1)) + t[PosTime](events(r!1)(j!1)))") (("1" (factor -1 l *) (("1" (lemma "alg_lemma_7 ") (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (propax) nil nil) ("3" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (postpone) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (propax) nil nil)) nil)) nil)) nil)) nil) ("5" (postpone) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) unfinished nil 267426 62320 t nil)) (Correctness 0 (Correctness-1 nil 3292298724 3292301471 ("" (lemma "Safety_property_ex") (("" (skosimp*) (("" (inst?) (("" (flatten) (("" (hide -1 -2 -3) (("" (cross-mult) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) unchecked ((total_le formula-decl nil real_props nil) (partial_order? const-decl "bool" orders nil) (transitive? const-decl "bool" relations nil) (NOT const-decl "[bool -> bool]" booleans nil) (reflexive? const-decl "bool" relations nil) (preorder? const-decl "bool" orders nil) (total_order? const-decl "bool" orders nil) (M const-decl "posreal" wcs2 nil) (posreal nonempty-type-eq-decl nil real_types nil) (> const-decl "bool" reals nil) (nonneg_real nonempty-type-eq-decl nil real_types nil) (nonzero_real nonempty-type-eq-decl nil reals nil) (times_div2 formula-decl nil real_props nil) (T const-decl "PosTime" wcs2 nil) (* const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (- const-decl "[numfield -> numfield]" number_fields nil) (div_mult_pos_le2 formula-decl nil real_props nil) (div_mult_pos_ge2 formula-decl nil real_props nil) (Runs type-eq-decl nil runs nil) (PreEffectOK const-decl "bool" runs nil) (PreRuns type-eq-decl nil runs nil) (now const-decl "Time" wcs2 nil) (W_C_S_Effect const-decl "bool" wcs2 nil) (W_C_S_Pre const-decl "bool" wcs2 nil) (Init_State const-decl "bool" wcs2 nil) (W_C_S_States type-eq-decl nil wcs2 nil) (M_int type-eq-decl nil wcs2 nil) (sequence type-eq-decl nil sequences nil) (PosTime type-eq-decl nil wcs2 nil) (Time nonempty-type-eq-decl nil wcs2 nil) (/= const-decl "boolean" notequal nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (PRED type-eq-decl nil defined_types nil) (W_C_S_Actions type-decl nil W_C_S_Actions_adt nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (Safety_property_ex formula-decl nil Invariant nil)) 33042 2920 t shostak))) $$$runs.pvs runs [ States, Actions: TYPE, init : pred[States], Pre : [Actions -> pred[States]] , Effect : pred[[States, Actions, States]], now : [States -> nonneg_real] ] : THEORY BEGIN PreRuns : TYPE = [# states : sequence[States], events : sequence[Actions] #] pr : VAR PreRuns t, t0 : VAR nonneg_real k,j ,i : VAR nat %NoTimeDecrease(pr) : bool = % FORALL i: now(states(pr)(i))<= now(states(pr)(i + 1)) %NoTimeDecreaseEver : LEMMA % NoTimeDecrease(pr) IMPLIES %FORALL j: now(states(pr)(i))<= now(states(pr)(i + j)) %by inducton on j %NonZeno(pr): bool = % FORALL t : EXISTS k: t< now(states(pr)(k)) %this property is needed when we have to garanty the incresing of time proving that the property holds between discrete points PreEffectOK(pr) : bool = FORALL i : Pre(events(pr)(i)) (states(pr)(i)) AND Effect(states(pr)(i), events(pr)(i), states(pr)(i + 1)) Runs : TYPE = { pr | init(states(pr)(0)) AND PreEffectOK(pr) % NoTimeDecrease(pr) AND % NonZeno(pr) } r:VAR Runs %maybe these don't need in this case %NoTimeDecreasegen: LEMMA %PROVED(induction on j) %i<=j IMPLIES now(states(r)(i))<=now(states(r)(j)) %NoTimeDecrease2: LEMMA %PROVED ( NoTimeDecreasegen) % now(states(r)(i)) numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (PreRuns type-eq-decl nil runs nil) (sequence type-eq-decl nil sequences nil) (Actions formal-type-decl nil runs nil) (now formal-const-decl "[States -> nonneg_real]" runs nil) (nonneg_real nonempty-type-eq-decl nil real_types nil) (States formal-type-decl nil runs nil) (<= const-decl "bool" reals nil) (pred type-eq-decl nil defined_types nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) 105241 2860 t shostak))) $$$W_C_S_Actions_adt.pvs %%% ADT file generated from Actions W_C_S_Actions_adt[States: TYPE, Time: TYPE]: THEORY BEGIN W_C_S_Actions: TYPE delay?, update?: [W_C_S_Actions -> boolean] delay: [Time -> (delay?)] update: [States -> (update?)] t: [(delay?) -> Time] s: [(update?) -> States] ord(x: W_C_S_Actions): upto(1) = CASES x OF delay(delay1_var): 0, update(update1_var): 1 ENDCASES W_C_S_Actions_delay_extensionality: AXIOM FORALL (delay?_var: (delay?), delay?_var2: (delay?)): t(delay?_var) = t(delay?_var2) IMPLIES delay?_var = delay?_var2; W_C_S_Actions_delay_eta: AXIOM FORALL (delay?_var: (delay?)): delay(t(delay?_var)) = delay?_var; W_C_S_Actions_update_extensionality: AXIOM FORALL (update?_var: (update?), update?_var2: (update?)): s(update?_var) = s(update?_var2) IMPLIES update?_var = update?_var2; W_C_S_Actions_update_eta: AXIOM FORALL (update?_var: (update?)): update(s(update?_var)) = update?_var; W_C_S_Actions_t_delay: AXIOM FORALL (delay1_var: Time): t(delay(delay1_var)) = delay1_var; W_C_S_Actions_s_update: AXIOM FORALL (update1_var: States): s(update(update1_var)) = update1_var; W_C_S_Actions_inclusive: AXIOM FORALL (W_C_S_Actions_var: W_C_S_Actions): delay?(W_C_S_Actions_var) OR update?(W_C_S_Actions_var); W_C_S_Actions_disjoint: AXIOM FORALL (W_C_S_Actions_var: W_C_S_Actions): NOT (delay?(W_C_S_Actions_var) AND update?(W_C_S_Actions_var)); W_C_S_Actions_induction: AXIOM FORALL (p: [W_C_S_Actions -> boolean]): ((FORALL (delay1_var: Time): p(delay(delay1_var))) AND (FORALL (update1_var: States): p(update(update1_var)))) IMPLIES (FORALL (W_C_S_Actions_var: W_C_S_Actions): p(W_C_S_Actions_var)); every(p1: PRED[States], p2: PRED[Time])(a: W_C_S_Actions): boolean = CASES a OF delay(delay1_var): p2(delay1_var), update(update1_var): p1(update1_var) ENDCASES; every(p1: PRED[States], p2: PRED[Time], a: W_C_S_Actions): boolean = CASES a OF delay(delay1_var): p2(delay1_var), update(update1_var): p1(update1_var) ENDCASES; some(p1: PRED[States], p2: PRED[Time])(a: W_C_S_Actions): boolean = CASES a OF delay(delay1_var): p2(delay1_var), update(update1_var): p1(update1_var) ENDCASES; some(p1: PRED[States], p2: PRED[Time], a: W_C_S_Actions): boolean = CASES a OF delay(delay1_var): p2(delay1_var), update(update1_var): p1(update1_var) ENDCASES; subterm(x, y: W_C_S_Actions): boolean = x = y; <<: (well_founded?[W_C_S_Actions]) = LAMBDA (x, y: W_C_S_Actions): FALSE; W_C_S_Actions_well_founded: AXIOM well_founded?[W_C_S_Actions](<<); reduce_nat(delay?_fun: [Time -> nat], update?_fun: [States -> nat]): [W_C_S_Actions -> nat] = LAMBDA (W_C_S_Actions_adtvar: W_C_S_Actions): LET red: [W_C_S_Actions -> nat] = reduce_nat(delay?_fun, update?_fun) IN CASES W_C_S_Actions_adtvar OF delay(delay1_var): delay?_fun(delay1_var), update(update1_var): update?_fun(update1_var) ENDCASES; REDUCE_nat(delay?_fun: [[Time, W_C_S_Actions] -> nat], update?_fun: [[States, W_C_S_Actions] -> nat]): [W_C_S_Actions -> nat] = LAMBDA (W_C_S_Actions_adtvar: W_C_S_Actions): LET red: [W_C_S_Actions -> nat] = REDUCE_nat(delay?_fun, update?_fun) IN CASES W_C_S_Actions_adtvar OF delay(delay1_var): delay?_fun(delay1_var, W_C_S_Actions_adtvar), update(update1_var): update?_fun(update1_var, W_C_S_Actions_adtvar) ENDCASES; reduce_ordinal(delay?_fun: [Time -> ordinal], update?_fun: [States -> ordinal]): [W_C_S_Actions -> ordinal] = LAMBDA (W_C_S_Actions_adtvar: W_C_S_Actions): LET red: [W_C_S_Actions -> ordinal] = reduce_ordinal(delay?_fun, update?_fun) IN CASES W_C_S_Actions_adtvar OF delay(delay1_var): delay?_fun(delay1_var), update(update1_var): update?_fun(update1_var) ENDCASES; REDUCE_ordinal(delay?_fun: [[Time, W_C_S_Actions] -> ordinal], update?_fun: [[States, W_C_S_Actions] -> ordinal]): [W_C_S_Actions -> ordinal] = LAMBDA (W_C_S_Actions_adtvar: W_C_S_Actions): LET red: [W_C_S_Actions -> ordinal] = REDUCE_ordinal(delay?_fun, update?_fun) IN CASES W_C_S_Actions_adtvar OF delay(delay1_var): delay?_fun(delay1_var, W_C_S_Actions_adtvar), update(update1_var): update?_fun(update1_var, W_C_S_Actions_adtvar) ENDCASES; END W_C_S_Actions_adt W_C_S_Actions_adt_map[States: TYPE, Time: TYPE, States1: TYPE, Time1: TYPE]: THEORY BEGIN IMPORTING W_C_S_Actions_adt map(f1: [States -> States1], f2: [Time -> Time1]) (a: W_C_S_Actions[States, Time]): W_C_S_Actions[States1, Time1] = CASES a OF delay(delay1_var): delay(f2(delay1_var)), update(update1_var): update(f1(update1_var)) ENDCASES; map(f1: [States -> States1], f2: [Time -> Time1], a: W_C_S_Actions[States, Time]): W_C_S_Actions[States1, Time1] = CASES a OF delay(delay1_var): delay(f2(delay1_var)), update(update1_var): update(f1(update1_var)) ENDCASES; END W_C_S_Actions_adt_map W_C_S_Actions_adt_reduce[States: TYPE, Time: TYPE, range: TYPE]: THEORY BEGIN IMPORTING W_C_S_Actions_adt[States, Time] reduce(delay?_fun: [Time -> range], update?_fun: [States -> range]): [W_C_S_Actions -> range] = LAMBDA (W_C_S_Actions_adtvar: W_C_S_Actions): LET red: [W_C_S_Actions -> range] = reduce(delay?_fun, update?_fun) IN CASES W_C_S_Actions_adtvar OF delay(delay1_var): delay?_fun(delay1_var), update(update1_var): update?_fun(update1_var) ENDCASES; REDUCE(delay?_fun: [[Time, W_C_S_Actions] -> range], update?_fun: [[States, W_C_S_Actions] -> range]): [W_C_S_Actions -> range] = LAMBDA (W_C_S_Actions_adtvar: W_C_S_Actions): LET red: [W_C_S_Actions -> range] = REDUCE(delay?_fun, update?_fun) IN CASES W_C_S_Actions_adtvar OF delay(delay1_var): delay?_fun(delay1_var, W_C_S_Actions_adtvar), update(update1_var): update?_fun(update1_var, W_C_S_Actions_adtvar) ENDCASES; END W_C_S_Actions_adt_reduce $$$W_C_S_Actions.pvs W_C_S_Actions[Time: TYPE ] :DATATYPE BEGIN % ASSUMING % assuming declarations % ENDASSUMING delay(t:Time) : delay? control: control? % when time t=T %env(id : ProcIds) : env? END W_C_S_Actions $$$wcs2.pvs wcs2 % [ parameters ] : THEORY BEGIN % ASSUMING % assuming declarations % ENDASSUMING Time: NONEMPTY_TYPE = nonneg_real PosTime: TYPE= {v: Time|v /= 0} IMPORTING W_C_S_Actions[PosTime] % PosTime: TYPE= {v: Time|v /= 0} t: VAR PosTime T :PosTime %T represent the sampling time.It means that the discrete transitions may occour every T time units K:real = -1/(T*T) M:posreal M_int: TYPE ={ r:nonneg_real|r<=M and r>=-M} W_C_S_States: TYPE = [# w_1:M_int, w_2:M_int, w:M_int, %w_c: real,%takes count of thw value of w at control event(don#t need) y:real,%position y_c : real,%this variable takes count of the value of y at control event v:real,%velocity v_c:real,%,%this variable takes count of the value of v at control event a:real,%acceleration a_c:real,%this variable takes count of the value of a at control event c: Time,%local clock u: Time %global clock, maybe not needed #] s, s1, s2: VAR W_C_S_States Init_State(s): bool =%pred[W_C_S_States] = w_1(s)=0 and w_2(s)=0 and y(s)=0 and y_c(s)=0 and v(s)=0 and v_c(s)=0 and a(s)=0 and a_c(s)=0 and c(s)=0 and u(s)=0 %look!!!at w at init! A : VAR W_C_S_Actions pre_x(s, t): bool = c(s) + t<=T W_C_S_Pre(A)(s): bool = CASES A OF delay(t): pre_x(s, t), control: c(s)=T ENDCASES; %We suppose that at control event changes acceleration, while velocity remain the same. %The acceleration changes following this role: %v: value of velocity at sample point %y value of position at sample point W_C_S_Effect(s1, A ,s2): bool = CASES A OF delay(t): %s2=s1 WITH [ v(s2)=v_c(s1)+a_c(s1)*(c(s1)+t) and y(s2)=y_c(s1)+ v_c(s1)*(c(s1)+t)+ a_c(s1)*((c(s1)+t)*(c(s1)+t))/2 + w(s1)*(c(s1)+t) and w_1(s2)=w_1(s1) and w_2(s2)=w_2(s1)and y_c(s2)=y_c(s1) and v_c(s2)=v_c(s1) and a(s2)=a(s1) and a_c(s2)=a_c(s1) and w(s2)=w(s1) and c(s2)=c(s1) + t and u(s2)=u(s1)+t , control: EXISTS (neww : M_int) : %s2= s1 WITH [ w_2(s2)= w_1(s1) and w_1(s2)=w(s1) and w (s2)= neww and a(s2)=K*(y(s1)-y_c(s1))-a_c(s1)/2 and y_c(s2)=y(s1)and a_c(s2)=a(s2)and v_c(s2)=v(s1)and y(s2)=y(s1) and v(s2)=v(s1)and c(s2)=0 and u(s2)=u(s1) ENDCASES; now(s): Time=u(s) IMPORTING runs[W_C_S_States, W_C_S_Actions, Init_State, W_C_S_Pre, W_C_S_Effect, now] END wcs2 $$$wcs2.prf (wcs2 (T_TCC1 0 (T_TCC1-1 nil 3271005771 3275308255 ("" (assert) (("" (inst 1 "1") nil nil)) nil) proved ((PosTime type-eq-decl nil wcs2 nil) (> const-decl "bool" reals nil) (Time nonempty-type-eq-decl nil wcs2 nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) 67 10 t nil)) (K_TCC1 0 (K_TCC1-1 nil 3275308259 3275308334 ("" (typepred "T") (("" (assert) (("" (postpone) nil nil)) nil)) nil) unfinished nil 75324 690 t shostak)) (W_C_S_Pre_TCC1 0 (W_C_S_Pre_TCC1-1 nil 3275308344 3275308385 ("" (skosimp*) (("" (assert) (("" (typepred "t!1") (("" (assert) (("" (postpone) nil nil)) nil)) nil)) nil)) nil) unfinished nil 40712 580 t shostak)))