4< ~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~                                     Safe-InferredInput generator (Always generates the same default value :Generates all possible values once, in a predefined order JGenerated values randomly; the same value can be generated multiple times   n': interval centered around 0 of size n   n%: interval starting from 0 of size n @Convert a (possibly infinite) nonempty list into a stream        Safe-Inferred Integer intervals  Integers extended with infinity Lattice type class  r a b : result of dividing a by b, rounded with r in the finite case; % dividing infinty by infinity yields . Is interval empty? (Are both bounds of the interval finite? All positive integers !All negative integers "All positive integers and 0 #All netaive integers and 0 $JApply function to all pairs of bounds coming from two different intervals %Division on integer intervals Top Bottom Partial order Least upper bound Greatest lower bound  !"#$% !"#$% !"#$% !"#$% Safe-Inferred&Error accumulator: M used in combination with ErrorT to store intermediate computation results, F when errors should be accumulated rather than reported immediately )JTransform an error computation and default value into an error accumlator *FTransform an error accumlator back into a regular error computation ++ f def xs :  Apply f to all xs4, accumulating errors and reporting them at the end ,, f xs :  Apply f to all xs/ throwing away the result, accumulating errors -Same as ,", but reporting errors at the end .. f xs ys :  Apply type checking f to all xs and ys throwing away the result, 3 accumulating errors and reporting them at the end &'()*+,-. &'()*+,-. &'()*+,-. &'()*+,-. Safe-Inferred/*Anything with a source position attached 3Attach position to a node 4Dummy source position 5 Attach dummy position to a node 66 p : parser that behaves like pW, but also attaches the source position before the first token it parsed to the result 77 f a : apply f to a and attach a's position to the result 88 f a b : apply f to a and b and attach a's position to the result /012345678/012345678/012435678 /012345678 Safe-InferredA9-Parent information in a constant declaration C (Nothing means no information, while empty list means no parents) :@Parent edge of a constant declaration (uniqueness, parent name) ; Formal argument of a function <%Name declaration with a where clause A$Name declaration (identifier, type) BDefinition of a type G Identifier HTop-level declaration II  name type_args formals rets body JJ )name type_args formals rets contract body MM name type_args formals ret body NN $unique names type orderSpec complete P8Top-level declaration with a source position attached QProcedure contract clause RR e free SS var_names free TT e free USpecification clause WSource of the clause X1Is it free (assumption) or checked (assertions)? YBoolean expression ZTypes of specification clauses a,Procedure body transformed to basic blocks: C consists of local variable declarations and a set of basic blocks = (represented as a map from their labels to statement lists) b?Basic block is a list of statements labeled by a single label; 4 the list contains no jump, if or while statements, > except for the last statement, which can be a goto or return cNProcedure body: consists of local variable declarations and a statement block dStatement block e%Statement labeled by multiple labels fGStatement labeled by multiple labels with a source position attached g Statement h only used at the end of a block ii labels kk label ll $wild_or_expr free_loop_inv loop_body mm "wild_or_expr then_block else_block nn proc_name args oo lhss proc_name args pp var_map_selects rhss qq  var_names r'Predicate statement (assume or assert) s,Statement with a source position attached tWildcard or expression w Expression xx qop type_vars bound_vars expr || cond eThen eElse ~~ map indexes rhs   map indexes  f args  name  value true false -Expression with a source position attached  Quantifiers Binary operators Unary operators Type int bool *Program: a list of top-level declarations  id : type denoted by id without arguments 5Dummy type used during type checking to denote error  m args- : map selection expression with position of m attached 3Block consisting of a single non-labeled statement Strip the where clause 2Argument name used for unnamed function arguments @ (does not matter, because it is never referred to from function' s body) s9:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~s9:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~sw~}|{zyxtvusgrqponmlkjihfedcbaZ`_^]\[UVWXYQTSRPHONMLKJIGBCDEFA<=>?@;:9"9:;<=>?@ABCDEFGHONMLKJIPQTSRUVWXYZ`_^]\[abcdefg rqponmlkjihstvuw ~}|{zyx Safe-Inferred  Keywords  op table : lookup operator name in table Names of unary operators 'Names of binary operators Names of quantifiers Other operators FCharacters allowed in identifiers (in addition to letters and digits) Start of a multi-line comment End of a multi-line comment Start of a single-line comment RA character that is not allowed in identifiers (used for generating unique names) NoneGProcedure definition; C a single procedure might have multiple definitions (one per body) )In-parameter names (in the same order as ! in the corresponding signature) *Out-parameter names (in the same order as ! in the corresponding signature) Are any parameter names in this definition different for the procedure signature? (used for optimizing parameter renaming, True is a safe default) Body Constraints on local names GLocation of the (first line of the) procedure definition in the source Procedure signature Procedure name Type variables In-parameters Out-parameters  Contracts 0Abstract store: maps names to their constraints IConstraint set: contains a list of definitions and a list of constraints Function definition 'Entity to which the definition belongs Type variables JArguments (types may be less general than in the corresponding signature) -Condition under which the definition applies Body Function signature Function name Type variables Argument types  Return type &Mapping from variables to expressions %Mapping from type variables to types   binding t : ' Substitute all free type variables in t according to binding;  all variables in the domain of bindings- are considered free if not explicitly bound  tv newTV binding : binding with each occurrence of one of tv replaced with corresponding newTV  (in both domain and range) x  t : does x occur free in t?  tvs tvs'- : type binding that replaces type variables tvs with type variables tvs' ' freshTVName n2 : Fresh type variable with a unique identifier n  contextTypeVars v : Is v either one of contextTypeVars( or a freash type variable generated by ?  fv xs ys : most general unifier of xs and ys0 with shared free type variables of the context fv  tvs tvs' :  New names for type variables tvs that are disjoint from tvs'  (if tvsF does not have duplicates, then result also does not have duplicates)  fv bv1 xs bv2 ys :  Most general unifier of xs and ys,  where bv1. are universally quantified type variables in xs and bv2. are universally quantified type variables in ys,  and fv2 are free type variables of the enclosing context [Internal tuple type constructor (used for representing procedure returns as a single type) LFree variables in an expression, referred to in current state and old state 2Free variables in an expression, in current state .Free variables in an expression, in old state   binding e$ : substitute all free variables in e according to binding;  all variables in the domain of bindings- are considered free if not explicitly bound  sig def : 5 Binding of parameter names from procedure signature sig0 to their equivalents from procedure definition def  sig def : ! Substitute parameter names from sig. in an expression with their equivalents from def  expr$ : all map selections that occur in expr#, where the map is a free variable  expr+ : all function applications that occur in expr  specs : all precondition clauses in specs  specs : all postcondition clauses in specs  specs : all modifies clauses in specs +Make all preconditions in contracts free ,Make all postconditions in contracts free #Function signature as a map type "Map type as a function signature CUnion of abstract stores (values at the same key are concatenated) )All parameters of a procedure signature 0Types of in-parameters of a procedure signature 1Types of out-parameters of a procedure signature "Procedure signature as a map type *Modifies clauses of a procedure signature 'Preconditions of a procedure signature (Postconditions of a procedure signature ,All local names of a procedure definition    (lo, hi) : Interval from lo to hi  Extract the element out of a ' and throw an error if its argument is     keys m : map m with keys removed from its domain    keys m : map m restricted on the set of keys keys  keys m : map m with the set of keys keys removed from its domain Monadic version of b (executes boolean-valued computation for all arguments in a list until the first True is found) Monadic version of c (executes boolean-valued computation for all arguments in a list until the first False is found) )Execute a computation with state of type t) inside a computation with state of type s   localState e :  Execute e in current state modified by  localState!, and then restore current state g     ]     ]     O     NonePretty-printed program ,Render document with tabs instead of spaces Pretty-printed unary operator Pretty-printed binary operator Pretty-printed quantifier Pretty-printed type /Pretty-printed function or procedure signature Binding power of an expression Pretty-printed expression  n expr : print expr! in a context with binding power n Pretty-printed statement %Pretty-printed top-level declaration   isDef fdef : fdef! pretty-printed as definition if isDef and as constraint otherwise  Pretty-printed constraint set Pretty-printed abstract store ! New line "Separate by new lines #Separate by commas $ Enclose in < > %Enclose in spaces &Conditionally produce a doc ' Convert a  value to doc 'Conditionally enclose in parentheses #Pretty-printed type arguments  Pretty-printed name declaration 4Pretty-printed name declaration with a where clause / !"#$%&'      !"#$%&'!"#$%&' / !"#$%&'      NoneDdComputation with typing context as state, which can result in either a list of type errors or a (?Type error with a source position and a pretty-printed message *Typing context ,type constructor arity -type synonym values ./global variable types (type synonyms resolved) /(constant types (type synonyms resolved) 0-function signatures (type synonyms resolved) 1.procedure signatures (type synonyms resolved)  Local: 2free type variables 3input parameter types 4local variable types 5<variables in the modifies clause of the enclosing procedure 6+all labels of the enclosing procedure body 7#labels of all enclosing statements 8<is the context two-state? (procedure body or postcondition) 9is context inside a loop body? :position in the source code E Persistent context (not specific to any node, never gets restored): ;1number of fresh type variables already generated <ZCheck program and return type errors if present, and the global typing context otherwise == c expr :  Type of expr in context c; ) fails if expr contains type errors. >> sig formals actuals mRetType c :  Local context of function sig with formal arguments formals and actual arguments actuals 7 in a context where the return type is exprected to be mRetType (if known) ?? sig def actuals lhss c :  Local context of procedure sig with definition def and actual arguments actuals  in a call with left-hand sides lhss @,Local context of a quantified expression AEmpty context CType constructors and synonyms DGlobal variables and constants E%Input parameters and local variables FMAll variables that can be assigned to (local variables and global variables) GHAll variables that can have where clauses (everything except constants) H4All variables and constants (local-scope preferred) I"Names of functions and procedures JFunction signature by name KProcedure signature by name 9Return a fresh type variable name and a modified context  check : perform check2 and then restores the scoped part of the context Pretty-printed type error L#Pretty-printed list of type errors Throw a single type error  doc1 ts1 doc2 ts2 contextDoc : throw an error because types ts1 do not match ts2;  use doc1 and doc2 to describe ts1 and ts2 correspondingly; use  contextDoc% to describe the context of mismatch <Check that a type variable is fresh and add it to context ECheck that all type names exist and have correct number of arguments MM c t : type t9 with all type synonyms resolved according to binding in c  tv types : generate fresh names for tv" and replace their occurrences in types   sig actuals :  Function signature sig= with type variables instantiated given the actual arguments actuals  sig actuals lhss : 0 Instantiation of type variables in a procedure sig given the actual arguments actuals and call left-hand sides lhss B (type binding is returned in terms of original type variables of sig-, so that types of locals can be calculated)  c expr :  Check that expr+ is a valid expression and return its type L (requires all types in the context be valid and type synonyms be resolved)  c st :  Check that st is a valid statement  block :  Check that all labels in block: and nested blocks are unique and add them to the context !Check every statement in a block *Collect type names from type declarations NCheck uniqueness of type constructors and synonyms, and them in the context  PCheck that type arguments of type synonyms are fresh and values are valid types !rCheck if type synonym declarations have cyclic dependences (program is passed for the purpose of error reporting) "JCheck variable, constant, function and procedures and add them to context ## scope getter setter idType :  Check that declaration idType is fresh in scope, and if so add it to getter using setter $PCheck uniqueness of function name, types of formals and add function to context %XCheck uniqueness of procedure name, types of formals and add procedure to context &2Check axioms, function and procedure bodies '4Check that where-part is a valid boolean expression ((  ids t parents : Check that identifiers in parents are distinct constants of type t and do not occur among ids )3Check that axiom is a valid boolean expression *\Check that function body is a valid expression of the same type as the function return type +DCheck where-parts of procedure arguments and statements in its body ,Check procedure body -lCheck that implementation corresponds to a known procedure and matches its signature, then check all bodies . Check program in several passes // msg t e  Check that e, is a valid expression and its type matches t;  in case of type error use msg as a description for e + (requires type synonyms in t be resolved) d()*+,-./0123456789:;<=>?@A0123B45678CDEFGHIJKLM9:;<=>?@ABCDEFGHIJ !"#$%&'()*+,-./KL&()*+,-./0123456789:;<=>?@ABCDEFGHIJKLM&<=M()L*+,-./0123456789:;ACDEFGHIJKB>?@R()*+,-./0123456789:;<=>?@A0123B45678CDEFGHIJKLM9:;<=>?@ABCDEFGHIJ !"#$%&'()*+,-./KL NoneNProgram parser OType parser PExpression parser QStatement parser RTop-level declaration parser CNMNOPQRSTUVWXYZ[\]^_`abcdefOghijPklmnopqrQstuvwxyz{|}~RNOPQRNOPQRCNMNOPQRSTUVWXYZ[\]^_`abcdefOghijPklmnopqrQstuvwxyz{|}~R NoneS.Negation normal form of a Boolean expression: M no negation above boolean connectives, quantifiers or relational operators;  no boolean connectives except && and || T,Prenex normal form of a Boolean expression: q all quantifiers are pushed to the outside and any two quantifiers of the same kind in a row are glued together. : Requires expression to be in the negation normal form. U8Negation and prenex normal form of a Boolean expression STUSTUSTUSTU NoneVHeap 5Mapping of references of values and reference counts hSet of unused references (exactly those references for which snd hValCounts = 0, stored for efficiency) jSet of references that have been removed from the heap and are ready to be reused (stored for efficiency) ,Smallest reference that has never been used WReference (index in the heap) XPretty-printed reference Y Empty heap ZZ h r : value of r in heap h [ Does the heap have any garbage? \\ v h# : choose a free reference in heap h and store value v5 in there; return the reference and the updated heap ]WCollect some garbage reference in the heap and return that reference and the new heap;  the heap must have garbage ^^ r v h : set the value at reference r to v in h;  r must be present in h __ r h : increase reference count of r in h;  r must be present in h `` r h : decrease reference count of r in h;  r must be present in h aPretty-printed heap VWXYZ[\]^_`a VWXYZ[\]^_`a WXVYZ\[]^_`aVWXYZ[\]^_`a None4bDMemory: stores concrete values associated with names and references Local variable store Global variable store 2Old global variable store (in two-state contexts) Constant and function cache Heap c*Store: stores variable values at runtime dRun-time value e&Reference to a map stored in the heap fValue of a map type: consists of an optional reference to the base map (if derived from base by updating) and key-value pairs that override base gValue of a user-defined type hBoolean value iInteger value jRepresentation of a map value kGMap that is derived from another map by redefining values at some keys ldMap that comes directly from a non-deterministic choice, possibly with some key-value pairs defined m!Representation of an empty map n:Key-value pairs stored explicitly in a map representation $Pretty-printed map representation oo t n: value of type t with an integer code n sPretty-printed value t>Source reference and key-value pairs of a reference in a heap uFirst component of t vSecond component of t w9Dummy user-defined type used to differentiate map values x^Dummy user-defined type used to mark entities whose definitions are currently being evaluated yy h v: Completely dereference value v given heap h$ (so that no references are left in v) zz h v1 v2: is v1 equal to v2; in the Boogie semantics? Nothing if cannot be determined. }A store with no variables ~Pretty-printed store   heap store : store9 with all reference values completely dereferenced given heap#, and all auxiliary values removed  name4 : name of a map constant that corresponds function name * (must be distinct from all global names) IAbstract memory: stores constraints associated with names and references Local name constraints Global name constraints Reference constraints &Lens that selects a store from memory  Empty memory GVisible values of all identifiers in a memory (locals shadow globals)   debug mem* : either user or debug representation of mem, depending on debug Execution state Concrete values Abstract values Procedure implementations  Type context 5Input generator (used for non-deterministic choices) UFor each user-defined type, number of distinct values of this type already generated QMaximum number of values to try for a quantified variable (unbounded if Nothing) 0Is an old expression currently being evaluated? Empty abstract memory  tc gen(: Initial environment in a type context tc with a value generator gen  getter def key env : lookup key in a map accessible with getter from env; if it does not occur return def ]bcdefghijklmnopqrstuvwxyz{|}~@bcdefghijklmnopqrstuvwxyz{|}~@jlkmndihgfeoqprtuvwxyz|{sc}~bCbcdihgfejlkmnopqrstuvwxyz{|}~ None :Transform procedure body into a sequence of basic blocks. Q A basic block starts with a label and contains no jump, if or while statements, ? except for the last statement, which can be a goto or return. (Label of the first block in a procedure jAttach a label to the first statement (with an empty label) in a non-empty list of labeled statements 9LStatement with no label (no source position, generated) SLStatement with no label (with a source position, derived from a source statement) LStatement with no statement FSpecial label value that denoted the innermost loop (used for break) VgenFreshLabel kind i: returns a label of kind with id i and the id for the next label Ltransform m statement: transform statement into a sequence of basic blocks; R m is a map from statement labels to labels of their exit points (used for break)  NoneeTLinear form (A, B) represents a set of expressions a*x + b, where a in A and b in B 2Sets of interval constraints on integer variables Finite domain Test session summary Number of passing test cases Number of failing test cases Number of invalid test cases #Number of nonexecutable test cases Unique failing test cases Description of an execution .Root procedure (entry point) of the execution :Final memory state (at the exit from the root procedure) TFailure the execution eded with, or Nothing if the execution ended in a valid state Internal error codes Kinds of run-time failures qThe state is OK in Boogie semantics, but the execution cannot continue due to the limitations of the interpreter 1Unreachable state reached (assumption violation) *Error state reached (assertion violation) %Failures that occur during execution Source of the failure $Location where the failure occurred $Memory state at the time of failure UStack trace from the program entry point to the procedure where the failure occurred 1Information about a procedure or function call !Source code position of the call Name of procedure or function ?Must be cought inside the interpreter and never reach the user *Equality of two maps cannot be determined $Quantification over an infinite set MLanguage construct is not yet supported (should disappear in later versions) Division by zero (Violation of user-defined specification /Computations that perform a cleanup at the end Computations with " as state, which always result in a Computations with & as state, which can result in either a or   p tc entryPoint :  Execute program p non-deterministically in type context tc starting from procedure  entryPoint m and return an infinite list of possible outcomes (each either runtime failure or the final variable store). Z Whenever a value is unspecified, all values of the required type are tried exhaustively.  p tc entryPoint :  Execute program p deterministically in type context tc starting from procedure  entryPoint  and return a single outcome. P Whenever a value is unspecified, a default value of the required type is used.   p tc generator qbound entryPoint :  Execute program p in type context tc with input generator  generator, starting from procedure  entryPoint, 6 and return the outcome(s) embedded into the generator' s monad.   computation : Execute a safe  computation in an unsafe environment  computation handler : Execute an unsafe  computation6 in a safe environment, handling errors that occur in  computation with handler %Run execution in the old environment NSave current values of global variables in memOld, return the previous memory  oldMem : reset  to its value from oldMem UEnter local scope (apply localTC to the type context and assign actuals to formals),  execute computation, G then restore type context and local variables to their initial values Throw a run-time failure 3Push frame on the stack trace of a runtime failure Kind of a run-time failure  Pretty-printed run-time failure 2Do two runtime failures represent the same fault? > Yes if the same property failed at the same program location / or, for preconditions, for the same caller  tc: Does tc end in a valid state?  tc: Does tc and in an unreachable state?  tc: Does tc end in a non-executable state?  tc: Does tc end in an error state?  debug tc : Summary of tc's inputs and outcome, 0 displayed in user or debug format depending on debug  debug tc : outputs of tc, 0 displayed in user or debug format depending on debug =Test cases are considered equivalent from a user perspective I | if they are testing the same procedure and result in the same outcome $Pretty-printed test session summary "Summary of a set of test cases  f : computation that extracts f from the generator  t pos : choose a value of type t at source position pos;  fail if t is a type variable  v& : choose a value of the same type as v  val : if val$ is a reference, increase its count  val : if val& is a reference, decrease its count   getter name : if name$ was associated with a reference in getter, decrease its reference count  setter name val : set value of variable name to val using setter   lens name val : set value of variable name to val using lens;  if name? was associated with a reference, decrease its reference count  name val5 : set value of a constant, global or local variable name to val   lens name : forget value of variable name in lens;  if nameE was associated with a reference, decrease its reference count  name8 : forget value of a constant, global or local variable name to val   r index val : map index to val in the map referenced by r  (r has to be a source map)  r index : forget value at index in the map referenced by r  (r has to be a source map)  r: current value of reference r in the heap  v: store v: at a fresh location in the heap and return that location -Remove all unused references from the heap Semantics of unary operators +Semi-strict semantics of binary operators:   op lhs : returns the value of lhs op( if already defined, otherwise Nothing %Strict semantics of binary operators BEuclidean division used by Boogie for integer division and modulo Evaluate an expression; S can have a side-effect of initializing variables that were not previously defined Execute a basic statement + (no jump, if or while statements allowed) LExecute program consisting of blocks starting from the block labeled label. ( Return the location of the exit point. KtryOneOf blocks labels: try executing blocks starting with each of labels, I until we find one that does not result in an assumption violation  sig def args lhss :  Execute definition def of procedure sig with actual arguments args and call left-hand sides lhss 8Assert preconditions of definition def of procedure sig JAssert postconditions of definition def of procedure sig at exitPoint  val : throw an exception if val is under construction  %typeGuard evalLocally myCode defs pos= : return the result of the first applicable definition from defs;  if none are applicable return , 3 unless an under construction value different from myCodeL has been evaluated, in which case rethrow the UnderConstruction exception;  use typeGuard tv formalTypes/ to decide if a definition with type variables tv and types of formals  formalTypes+ is applicable to the current invocation;  use evalLocally formals< to evaluate expressions inside a definition with arguments formals;  pos. is the position of the definition invocation   name t pos : return a value for name of type t mentioned at pos', if there is an applicable definition  r t args actuals pos : return a value at index actuals  in the map of type t referenced by r mentioned at pos(, if there is an applicable definition  name evaluation guard body pos :  check for an entity name that guard ==> body, using  evaluation to evaluate both guard and body;  (pos5 is the position of the constraint invocation)  name pos#: assume all constraints of entity name mentioned at pos;  is namei is of map type, attach all its forall-definitions and forall-contraints to the corresponding reference  r t args actuals pos1 : assume all constraints for the value at index actuals  in the map of type t referenced by r mentioned at pos /Collect procedure implementations, and constantfunctionglobal variable constraints  bExpr, : extract definitions and constraints from bExpr   vars args : extract simple arguments from args; ; an argument is simple if it is either one of variables in vars or does not contain any of vars; Q in the latter case the argument is represented as a fresh name and a constraint iThe set of domains for each variable in vars, outside which boolean expression boolExpr is always false. > Fails if any of the domains are infinite or cannot be found. SStarting from initial constraints, refine them with the information from boolExpr, L until fixpoint is reached or the domain for one of the variables is empty. n This function terminates because the interval for each variable can only become smaller with each iteration. ]Infer an interval for variable x, outside which boolean expression booExpr is always false, > assuming all other quantified variables satisfy constraints; 4 boolExpr has to be in negation-prenex normal form. UIf possible, convert arithmetic expression aExpr into a linear form over variable x, > assuming all other quantified variables satisfy constraints.  v1 v2 : Evaluate v1 == v2 ,Ensure that two compatible values are equal      33j       !"#$%&'()*+,-./01234566789:;<=>>?@ABCDEFGHIJJKLMNOOPQRSTUVWXYZ[\]^_`aabcdefghijklmnopqrstuvwxyz{|}~N      !"#$%&'()*+, - - . . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~                                                           ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ) ^ _ ` a b ( c d e f g h i j k l m n o p q r s t u v w x y z { | } ~                  Y                         e            language-boogie-0.2Language.Boogie.PositionLanguage.Boogie.GeneratorLanguage.Boogie.IntervalsLanguage.Boogie.ErrorAccumLanguage.Boogie.ASTLanguage.Boogie.TokensLanguage.Boogie.UtilLanguage.Boogie.PrettyPrinterLanguage.Boogie.TypeCheckerLanguage.Boogie.ParserLanguage.Boogie.NormalFormLanguage.Boogie.HeapLanguage.Boogie.EnvironmentLanguage.Boogie.BasicBlocksLanguage.Boogie.Interpreter parsec-3.1.3Text.Parsec.Pos sourceColumn sourceLine sourceName SourcePos GeneratorgenBool genIntegergenIndexdefaultGeneratorexhaustiveGeneratorrandomGenerator intInterval natIntervalfromListIntervallowerupperExtendedInfFiniteNegInfLatticetopbot<:joinmeetextDivisBottom isBounded positives negatives nonNegatives nonPositives mapBounds// ErrorAccumTrunErrorAccumTaccumreportmapAccum mapAccumA_ mapAccum_ zipWithAccum_Pospositionnode attachPosnoPosgenattachPosBefore inheritPos inheritPos2 ParentInfo ParentEdgeFArg IdTypeWhereitwIditwTypeitwWhereIdTypeNewTypetIdtArgstValueIdBareDeclImplementationDecl ProcedureDeclVarDecl AxiomDecl FunctionDecl ConstantDeclTypeDeclDeclContractEnsuresModifiesRequires SpecClausespecTypespecFreespecExprSpecTypeAxiomWhere LoopInvariant Postcondition PreconditionInline BasicBody BasicBlockBodyBlockBareLStatement LStatement BareStatementSkipGotoReturnBreakWhileIf CallForallCallAssignHavoc Predicate StatementWildcardExpressionExprWildcardBareExpression QuantifiedBinaryExpressionUnaryExpressionCoercionIfExprOld MapUpdate MapSelection ApplicationVarNumeralTTFF ExpressionQOpLambdaExistsForallBinOpGeqGtLeqLsLcNeqEqEquivExpliesImpliesOrAndModDivTimesMinusPlusUnOpNotNegTypeMapTypeIntTypeBoolTypeProgram nullaryTypenoType mapSelectExprsingletonBlocknoWhere dummyFArgkeywordsopName unOpTokens binOpTokens qOpTokensotherOpsidentifierChars commentStart commentEnd commentLine nonIdCharPDefpdefInspdefOutspdefParamsRenamedpdefBodypdefConstraintspdefPosPSigpsigName psigTypeVarspsigArgspsigRets psigContracts AbstractStore ConstraintSetFDeffdefNamefdefTVfdefArgs fdefGuardfdefBodyFSigfsigName fsigTypeVars fsigArgTypes fsigRetType VarBinding TypeBinding typeSubstrenameTypeVarsisFreeIn fromTVNames freshTVName isTypeVarunifier tupleTypefreeVarsTwoStatefreeVars freeOldVars exprSubst paramSubstfreeSelections applications preconditionspostconditionsmodifiesassumePreconditionsassumePostconditionsfsigType fsigFromTypeasUnion psigParams psigArgTypes psigRetTypespsigType psigModifies psigRequires psigEnsures pdefLocalsnumenegenot|+||-||*||/||%||=||!=||<||<=||>||>=||&|||||=>||<=>|assume conjunctioninterval fromRight deleteAllrestrictDomain removeDomain mapItwTypeanyM changeStatewithLocalState internalError programDocrenderWithTabsunOpDocbinOpDoctypeDocsigDocexprDoc statementDocdeclDocfdefDocconstraintSetDocabstractStoreDocnestDefnewlinevsepcommaSepanglesspacesoption optionMaybe TypeErrorContextctxTypeConstructorsctxTypeSynonyms ctxGlobals ctxConstants ctxFunctions ctxProcedures ctxTypeVarsctxIns ctxLocals ctxModifies ctxLabels ctxEncLabels ctxTwoState ctxInLoopctxPosctxFreshTVCounttypeCheckProgramexprType enterFunctionenterProcedureenterQuantified emptyContext setLocals typeNames globalScope localScope mutableVarsallVarsallNames funProcNamesfunSigprocSig typeErrorsDocresolveprogramtype_ expression statementdecl negationNFprenexNF normalizeHeapRefrefDoc emptyHeapat hasGarbageallocdeallocupdate incRefCount decRefCountheapDocMemoryStoreValue ReferenceMapValue CustomValue BoolValueIntValueMapReprDerivedSourceemptyMapstoredvalueFromInteger unValueBoolvnot unValueMapvalueDoc flattenMap mapSource mapValues refIdTypeName ucTypeName deepDerefobjectEq mustDisagree mustAgree emptyStorestoreDoc userStore functionConstAbstractMemory StoreLens memConstants memGlobalsmemHeap memLocalsmemOld emptyMemoryvisibleVariables memoryDoc Environment amGlobalsamHeapamLocalsenvConstraintsenvCustomCount envGeneratorenvInOld envMemory envProcedures envQBoundenvTypeContextinitEnvlookupProcedurelookupNameConstraintslookupMapConstraintslookupCustomCountaddProcedureImpladdGlobalDefinitionaddMapDefinitionaddMapConstraintsetCustomCountwithHeap toBasicBlocks startLabelSummary sPassCount sFailCount sInvalidCountsNonExecutableCountsUniqueFailuresTestCase tcProceduretcMemory tcFailure FailureKind Nonexecutable UnreachableErrorRuntimeFailure rtfSourcertfPos rtfMemoryrtfTrace StackTrace StackFramecallPoscallName FailureSourceInternalException MapEqualityInfiniteDomainUnsupportedConstructDivisionByZero SpecViolationexecuteProgramexecuteProgramDetexecuteProgramGeneric failureKindruntimeFailureDocisPass isInvalidisNonexecutableisFailtestCaseSummary finalStateDoc summaryDoctestSessionSummaryevalexec execProcedure preprocessbase Data.MaybeNothing $fNumInterval$fLatticeInterval $fEqInterval$fShowInterval $fOrdExtended $fNumExtended$fShowExtended$fMonadTransErrorAccumT$fMonadErrorAccumT attachPosM $fFunctorPos $fShowPos$fEqPosremoveClashesWith forallUnifier paramBinding Data.EitherRightLeftGHC.ListanyallMallfreeVarsTwoState' exprSubst'freeSelections' applications'$fEqPSig$fEqFSigqOpDocpower exprDocAtJust condParens typeArgsDoc idTypeDocidTypeWhereDocblockDocbracedBlockDocbodyDoctransformedBlockDoclabelDoc specTypeDoc specClauseDoc typeDeclDoc constantDoc functionDoc varDeclDoc procedureDocimplementationDoc defaultIndent$fEqDoc$fShowBareDecl$fShowBareStatement$fShowBareExpression $fShowType $fShowProgramTyping genFreshTVlocally typeErrorDocthrowTypeError typeMismatch checkTypeVar checkType withFreshTV fInstance pInstancecheckExpressioncheckStatement collectLabels checkBlock collectTypes checkTypeDeclcheckTypeSynonyms checkCyclescheckSignatures checkIdTypecheckFunctionSignaturecheckProcSignature checkBodies checkWherecheckParentInfo checkAxiom checkFunctioncheckProcedure checkBodycheckImplementation checkProgram checkMatch setGlobals setConstants setTypeVarssetIns setModifies setLabels setTwoState setInLoopsetPoscheckVarcheckApplicationcheckMapSelectioncheckMapUpdatecheckOldcheckIfExpression checkCoercioncheckUnaryExpressioncheckBinaryExpressioncheckQuantified checkAssign checkCallcheckCallForallcheckIf checkWhile checkGotocheckSimpleBreakcheckLabelBreak checkLefts$fErrorListTypeErroropNamesopStartopLetter boogieDeflexer identifierreserved reservedOp charLiteral stringLiteralnaturalintegersymbol whiteSpacebracketsparensbracessemicomma commaSep1typeAtomtypeArgsmapType typeCtorArgsqopatomarrayExpressioncoercionExpressiontablewildcardExpressionlhsassigncall callForall ifStatementwhileStatementlabel lStatement statementListblocknewTypetypeDecl parentEdge constantDecl functionDecl axiomDeclvarListvarDeclbodyprocDeclimplDeclspec hasKeywordidsTypeungroup idsTypeWhere ungroupWheretrigAttrtrigger attribute _hValCounts _hGarbage_hFree_hFreshhFreehFreshhGarbage hValCounts $fShowHeap _memLocals _memGlobals_memOld _memConstants_memHeap mapReprDoc _amLocals _amGlobals_amHeap _envMemory_envConstraints_envProcedures_envTypeContext _envGenerator_envCustomCount _envQBound _envInOldemptyAbstractMemory lookupGettermustEqmustNeqmayEqmayNeq $fShowValue $fShowMemorycombineGettersattachjustBareStatement justStatement justLabel innermost genFreshLabel transform LinearFormIntervalConstraintsDomain InternalCode Finalizer SafeExecution Execution execUnsafely execSafelyoldsaveOld restoreOldexecuteLocallythrowRuntimeFailure addStackFrame sameFault equivalentgenerate generateValuegenerateValueLikeincRefCountValuedecRefCountValueunsetVarsetVarresetVar resetAnyVar forgetVar forgetAnyVar setMapValueforgetMapValuereadHeapallocatecollectGarbageunOp binOpLazybinOp euclidean execBlocktryOneOfcheckPreconditionscheckPostonditions wellDefinedcheckDefinitionscheckNameDefinitionscheckMapDefinitionsapplyConstraintcheckNameConstraintscheckMapConstraintsextractConstraints extractArgsdomainsinferConstraints inferInterval toLinearForm evalEqualitymakeEqUnderConstruction NotLinearfinallythrowInternalException totalCountevalVarrejectMapIndexevalMapSelection evalMapUpdateevalIf evalBinary evalExists evalExists' execPredicate execHavoc execAssignexecCall execCallBySigcheckDefinitions'processFunctionprocessProcedureBody processAxiomextractConstraints' $fShowSummary$fEqRuntimeFailure$fShowRuntimeFailure$fErrorRuntimeFailure$fFinalizerErrorT$fFinalizerStateT